Jump to main content

Administrative Requirements

  • A covered entity must develop written privacy policies and procedures that are consistent with the Privacy Rule
  • An entity must designate a Privacy Official and a contact person or contact office responsible for developing policies and for receiving complaints and providing individuals with information on the entity's privacy practices
  • Must provide Workforce Training and Management to workforce members who include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid). An entity must train all workforce members on its privacy policies yearly.
  • A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy practices or the Privacy Rule
  • A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of PHI by its workforce or its business associates in violation of its privacy policies or the Privacy Rule
  • An entity must maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use. For example safeguards might include:
    • Shredding documents containing PHI (do not discard in the trash)
    • Securing medical records with a lock and key or pass code
    • Limiting access to PHI
    • Escorting authorized personnel in areas that contain PHI
    • Using a secure email and encrypting identifiable information
  • A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals can submit complaints to at the entity and advise that complaints also can be submitted to the SEcretary of Human and Health Services. See Filing Complaints for more information.