164.530(d) Complaints. All covered entities must provide a process for individuals to complain about its compliance with the Breach Notification Rule. Audit Inquiry 164.530(d) - Complaints to the covered entity Does the covered entity have a process in place for individuals to complain about its compliance with the Breach Notification Rule? Obtain the covered entity's policies and procedures for individual complaints. Evaluate whether they are consistent with the requirement to provide a process for individuals to complain about the covered entity's compliance with the Breach Notification Rule. Has the covered entity received any such complaints? If yes, obtain and review a list of complaints received in the specified period and the disposition of such complaints. Obtain and assess additional documentation of actions taken by the covered entity to investigate and resolve the complaints. Assess whether the actions were completed in accordance with these requirements and the entity's policies and procedures.

§ 164.314(a)(2)(ii): The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). Audit Inquiry Does the entity have policies and procedures in place regarding other arrangements to have in place (e.g., a Memorandum of Understanding if the covered entity and business associate are government agencies) that meet the requirements of 45 CFR § 164.504(e)(3)? Obtain and review documentation of the entity's other arrangements with business associates. Evaluate and determine if the other arrangements meet the requirements of 45 CFR § 164.504(e)(3). Required/Addressable Required