Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 160.308 - Basis for Conducting Compliance Reviews


Comment: A number of comments expressed concern that the Secretary would conduct compliance reviews without having received a complaint or having reason to believe there is noncompliance. A number of these commenters appeared to believe that the Secretary would engage in "routine visits." Some commenters suggested that the Secretary should only be able to conduct compliance reviews if the Secretary has initiated an investigation of a complaint regarding the covered entity in the preceding twelve months. Some commenters suggested that there should only be compliance reviews based on established criteria for reviews (e.g., finding of "reckless disregard"). Many of these commenters stated that cooperating with compliance reviews is potentially burdensome and expensive.

One commenter asked whether the Secretary will have a process for reviewing all covered entities to determine how they are complying with requirements. This commenter questioned whether covered entities will be required to submit plans and wait for Departmental approval.

Another commenter suggested that the Secretary specify a time limit for the completion of a compliance review.

Response: We disagree with the commenters that the final rule should restrict the Secretary's ability to conduct compliance reviews. The Secretary needs to maintain the flexibility to conduct whatever reviews are necessary to ensure compliance with the rule.