Personnel designations

(a)(1) Standard: Personnel designations.
(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
(ii) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by § 164.520.
(2) Implementation specification: Personnel designations. A covered entity must document the personnel designations and maintain in written or electronic form for six years.

Audit Inquiry

Has the covered entity designated a privacy official and a contact person consistent with the established performance criterion?
Inquire of management (1) who is responsible for the development and implementation of the privacy policies and procedures; and(2) what person or office is designated to receive privacy complaints.
Obtain and review documentation to determine if the above items are maintained in electronic or written form and retained for a period of six years.