Upcoming Webinars 


The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Log in

Log in

Organizational Requirements under the Privacy Rule

These are the rules and regulations that a healthcare provider must follow in regards to their internal organizational practices.  

Designate a Privacy Official

The healthcare provider must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

The provider must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the privacy notice.

The provider must document the designation of the specific privacy official including their contact information.

Workforce Training

The healthcare provider must train all members of its workforce on the policies and procedures with respect to protected health information, as necessary and appropriate for the members of the workforce to carry out their functions within the organization.

The provider must provide training as follows:

    • To each member of the workforce by no later than the compliance date (April 14, 2003);
    • Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and
    • To each member of the workforce whose functions are affected by a material change in the policies or procedures within a reasonable period of time after the material change becomes effective.

The provider must document that the training has been provided.

Data Safeguards

The healthcare provider must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

The providers must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements.

The provider must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.


The healthcare provider must provide a process for individuals to make complaints concerning the provider’s policies and procedures or its compliance with such policies and procedures.

The provider must document all complaints received, and their disposition, if any.

Workforce Sanctions

The provider must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the organization or the requirements of the rule.

This standard does not apply to a member of the workforce with respect to actions that are covered by and that meet the conditions of the whistle blower section.

The provider must document the sanctions that are applied, if any.

Refraining from intimidating or retaliatory acts

A provider—

    • May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, including the filing of a complaint under this section; and
    • Must refrain from intimidation and retaliation.


The healthcare provider must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements by the covered entity or its business associate.

Waiver of Rights

The healthcare provider may not require individuals to waive their rights under the Privacy Rule, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Policies and Procedures

Thea healthcare provider must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of the rule. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement.

Changes to Policies and Procedures

The healthcare provider must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of the Privacy Rule.

When a provider changes a privacy practice that is stated in the notice, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has included in the notice a statement reserving its right to make such a change in its privacy practices; or

The provider may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented according to the procedures below.

Changes in Law

Whenever there is a change in law that necessitates a change to the provider’s policies or procedures, the provider must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the privacy notice required by, the provider must promptly make the appropriate revisions to the notice. 

Changes to Privacy Practices Stated in the Notice

To implement a change to the notice of privacy practices, a provider must:

    • Ensure that the policy or procedure, as revised to reflect a change in the provider’s privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications;
    • Document the policy or procedure, as revised; and
    • Revise the notice to state the changed practice and make the revised notice available.  The provider may not implement a change to a policy or procedure prior to the effective date of the revised notice.

If a provider has not reserved its right to change a privacy practice that is stated in the notice, the provider is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A provider may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that:

    • Such change meets the implementation specifications; and
    • Such change is effective only with respect to protected health information created or received after the effective date of the notice.

Changes to other Policies or Procedures

A provider may change, at any time, a policy or procedure that does not materially affect the content of the notice, provided that:

    • The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of the rule; and
    • Prior to the effective date of the change, the policy or procedure, as revised, is documented.


A provider must:

    • Maintain the policies and procedures in written or electronic form;
    • If a communication is required  to be in writing, maintain such writing, or an electronic copy, as documentation; and
    • If an action, activity, or designation is required to be documented, maintain a written or electronic record of such action, activity, or designation.
    • Maintain documentation sufficient to meet its burden of proof.

Retention Period

A covered entity must retain the documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later.


45 CFR ยง164.530   

Powered by Wild Apricot Membership Software