§164.530(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. (2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
Audit Inquiry
Has the covered entity implemented administrative, technical, and physical safeguards to protect all PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart? Does the covered entity reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure?
Obtain and review policies and procedures to determine if appropriate administrative, technical, and physical safeguards are in place.
Obtain and review documentation of specific safeguards in place from all three categories to reasonably protect the PHI. Such documentation may include, but is not limited to, policies and procedures, photographic or documentary documentation of physical and technical safeguards, and statements from privacy and security officials.