HIPAA Privacy - Personnel Designations 164.530(a)

Overview:
(a)(1) Standard: Personnel designations.
(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
(ii) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by § 164.520.
(2) Implementation specification: Personnel designations. A covered entity must document the personnel designations and maintain in written or electronic form for six years.

Action Items:
1) Inquire of management (1) who is responsible for the development and implementation of the privacy policies and procedures; and(2) what person or office is designated to receive privacy complaints.
2) Obtain and review documentation to determine if the above items are maintained in electronic or written form and retained for a period of six years.

Related Documents:
1) Documentation to determine if the privacy policies and procedures are maintained in electronic or written form and retained for a period of six years.

Additional Guidance:
A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.