Table 8.
Consensus Expectations for the Content Area, “Accountability”
| Health information trustees should be accountable for adhering to standards for the collection, storage, and use of personally identifiable health information, including the responsible transfer of information to other accountable information trustees. |
| 8.1 Health information trustees furnish clear policies and materials to all of their agents who have access to identifiable health information to support their training in the proper handling of sensitive health information. |
| 8.2 Health information trustees ensure that individuals handling identifiable health information are properly trained, on a regular basis, in their security and confidentiality standards, including requirements that are specific to each individual's job. |
| 8.3 Reprimands, feedback, education, probation, and other appropriate methods are used to enforce adherence to privacy and confidentiality protection standards. |
| 8.4 Written policies specify what level of penalty will result from specific breaches of privacy and confidentiality protections. |
| 8.5 Individuals with access to identifiable health information display knowledge of protections afforded this information and the penalties associated with breaching the security or confidentiality of this information. |
| 8.6 Health information trustees have in place a formal internal mechanism for individuals to bring forth, without fear of reprisal, complaints of inappropriate collection, storage, or use of personally identifiable health information. |
| 8.7 When an internal review mechanism does not provide a satisfactory resolution, there is an opportunity for external review of unresolved privacy complaints. |
| 8.8 Health information trustees, unless otherwise prevented by law, require a written statement of adherence to privacy, security, and confidentiality standards from all employees, agents, subcontractors, and outside organizations who wish to gain access to protected health information. |