Skip to main content
Compliance Reference

45 CFR § 164.530

Administrative requirements (HIPAA Privacy Rule)

Effective: Last amended: Last reviewed:

See your compliance status for this section

3-minute free audit. CFR-cited gap report. No signup.

Run free audit →

What does 45 CFR § 164.530 require?

45 CFR 164.530 is the administrative-requirements section of the HIPAA Privacy Rule — the people-side, policy-side, and documentation-side controls every covered entity must have in place to actually run a Privacy Rule program. Ten obligations: designate a Privacy Official; designate a contact person/office for complaints and notice questions; train the entire workforce on PHI policies and procedures (at hire, after material changes, after role changes); implement administrative, technical, and physical safeguards; provide a working complaint process and log every complaint and disposition; apply and document sanctions when workforce members violate privacy policies or the Rule; mitigate known harmful effects of improper uses or disclosures; never retaliate against people who exercise HIPAA rights, file complaints, or cooperate with OCR; never require individuals to waive HIPAA rights; have written policies and procedures; and retain those records for at least six years. The most-cited gaps in OCR HIPAA Privacy Rule enforcement actions are missing or inadequate workforce training records, missing complaint logs, missing sanction documentation, and policies that exist on paper but have no evidence of implementation. The §164.530(j) six-year retention requirement applies not only to the policies themselves but to every record OCR could ask for during an investigation — training rosters, sanction memos, complaint dispositions, mitigation actions, NPP receipts, and accounting-of-disclosures logs.

Regulation text (summary)

45 CFR 164.530 sets the administrative requirements of the HIPAA Privacy Rule. Covered entities (and, by extension under §164.504(e), their business associates for the obligations imposed by contract) must (1) designate a Privacy Official responsible for the development and implementation of the entity's privacy policies and procedures (§164.530(a)(1)(i)) and a contact person or office to receive complaints and provide notice information (§164.530(a)(1)(ii)); (2) train all members of the workforce on the entity's PHI policies and procedures as necessary and appropriate for them to carry out their function — at hire for new workforce members joining after the compliance date, within a reasonable time after a material change in policy or procedure, and after a workforce member's functions change (§164.530(b)); (3) implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI from any intentional or unintentional use or disclosure that violates the Privacy Rule (§164.530(c)); (4) provide a process for individuals to make complaints concerning the entity's policies and procedures or its compliance with the Privacy Rule, and document all complaints received and their disposition (§164.530(d)); (5) apply appropriate sanctions against workforce members who fail to comply with the entity's privacy policies or the Privacy Rule, and document sanctions applied (§164.530(e)); (6) mitigate, to the extent practicable, any harmful effect known to the covered entity of a use or disclosure of PHI in violation of its policies or the Privacy Rule (§164.530(f)); (7) refrain from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against any individual for exercising a right under the Privacy Rule, filing a complaint, testifying, assisting in an investigation, or opposing an unlawful act (§164.530(g)); (8) not require individuals to waive their rights under §160.306, §164.502, or §164.524 as a condition of treatment, payment, enrollment, or eligibility for benefits (§164.530(h)); (9) implement written policies and procedures designed to comply with the Privacy Rule (§164.530(i)); and (10) maintain the policies and procedures, communications, designations, and other records required by the Privacy Rule in written or electronic form for six years from the date of creation or the date when last in effect, whichever is later (§164.530(j)).

Read full regulation at eCFR.gov

Who must comply with 45 CFR § 164.530?

All HIPAA covered entities (health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a HIPAA transaction). The administrative requirements apply across the full spectrum — solo medical practices, dental offices, community pharmacies, large hospital systems, health insurers, Medicare/Medicaid health plans, and group health plans. Business associates are bound by §164.530-style obligations through their business associate contracts under §164.504(e) — the BA must agree to safeguards, sanctions, training, and a complaint process consistent with the covered entity's. Hybrid entities (organizations with both covered and non-covered components) must implement §164.530 within the health-care component. Organized Health Care Arrangements may share certain Privacy Rule responsibilities under §164.506. Small-practice exception: NONE. §164.530 applies in full to a one-provider clinic. The Privacy Rule scales — a solo practice writes shorter, simpler policies than a 1,000-provider health system — but every element of §164.530 must be addressed and documented.

What happens if you violate 45 CFR § 164.530?

Civil Monetary Penalties under 45 CFR §160.404 (2026 inflation-adjusted): Tier 1 (unknowing) $137-$68,928 per violation; Tier 2 (reasonable cause, not willful neglect) $1,379-$68,928 per violation; Tier 3 (willful neglect, corrected within 30 days) $13,785-$68,928 per violation; Tier 4 (willful neglect, not timely corrected) $68,928 per violation. Annual cap per identical-provision category: $2,067,813. Each day a violation continues, and each individual whose PHI is affected, can be counted as a separate violation. HHS Office for Civil Rights (OCR) is the enforcement agency. OCR has multiple enforcement pathways triggered by §164.530 gaps: (1) individual complaints filed directly with OCR via the OCR Complaint Portal — OCR receives tens of thousands of HIPAA complaints per year and §164.530(d) requires every covered entity to have a complaint process and log; (2) Breach Notification Rule reports under §§164.400-414 — breaches affecting 500+ individuals are posted on the OCR public breach portal and trigger investigation; (3) compliance reviews and audits initiated by OCR; and (4) referrals from state attorneys general (who have concurrent HIPAA enforcement authority under HITECH §13410). Resolution agreements typically include 1-3 year corrective action plans with quarterly reporting, OCR-approved policy revisions, mandatory workforce retraining, and ongoing OCR monitoring. The §164.530(g) anti-retaliation provision is independently enforceable — retaliating against a workforce member who reports a HIPAA concern internally or to OCR is itself a Privacy Rule violation, on top of any underlying issue.

$137–$2,067,813

Penalty range

~27,410

Annual citations

+5.4%

YoY penalty trend

How to comply (implementation checklist)

  1. 1Designate a Privacy Official in writing under §164.530(a)(1)(i). Document the role, authority, and reporting line. The Privacy Official can also serve as the Security Official (§164.308(a)(2)) — document the dual designation.
  2. 2Designate a contact person or contact office to receive complaints and respond to questions about the Notice of Privacy Practices, per §164.530(a)(1)(ii). Publish the contact information in the NPP, on the entity's website, and in patient-facing materials.
  3. 3Train all workforce members on PHI policies and procedures at hire (§164.530(b)(2)(i)(A)), within a reasonable time after material policy changes (§164.530(b)(2)(i)(B)), and when a workforce member's functions change (§164.530(b)(2)(i)(C)). Maintain per-employee training records — date, content modules, role-specific content, employee acknowledgment — for 6 years.
  4. 4Document and implement administrative, technical, and physical safeguards per §164.530(c). For ePHI, these largely overlap with §164.308 / §164.310 / §164.312. For paper PHI and verbal disclosures, separate safeguards apply — minimum-necessary access, locked storage, private conversations, fax-coversheet practices, secure-disposal procedures.
  5. 5Establish and publish a complaint process under §164.530(d). Implement a complaint log capturing date received, source, nature, investigation, disposition, and resolution. Workforce members must know how to receive and route complaints. Retain the log 6 years.
  6. 6Maintain a written sanction policy under §164.530(e) that defines graduated sanctions for privacy violations — including unintentional disclosures, snooping, unauthorized access, social-media incidents, and willful misconduct. Document every sanction action — employee, date, violation, sanction applied, supervisor sign-off. Retain 6 years.
  7. 7Define and document mitigation procedures under §164.530(f) — how the entity responds to known harmful effects of improper uses or disclosures, including notification of recipients, recovery of records, retraining, and technical containment. Maintain a mitigation log of actions taken.
  8. 8Communicate and enforce the §164.530(g) anti-retaliation policy. Train managers explicitly on the prohibition against retaliating against workforce members who report HIPAA concerns or cooperate with OCR. Document the policy and training delivery.
  9. 9Eliminate any waiver-of-rights language from intake forms, treatment agreements, payment forms, enrollment paperwork, or eligibility documents. §164.530(h) bars conditioning treatment, payment, enrollment, or eligibility on waiver of HIPAA rights.
  10. 10Maintain a written, current set of privacy policies and procedures under §164.530(i). Map each policy section to the corresponding Privacy Rule citation. Version-control the policies. Retire and archive prior versions (still subject to 6-year retention).
  11. 11Maintain all §164.530 records — policies, training rosters, complaint logs, sanction actions, mitigation actions, designations, NPPs, BAAs, authorization records, accounting-of-disclosures records — in written or electronic form for 6 years from the later of date of creation or last effective date (§164.530(j)).
  12. 12Conduct an internal §164.530 audit at least annually — confirm Privacy Official designation is current, training is up-to-date for every workforce member, complaint log is being maintained, sanctions are being applied and documented, and 6-year retention is intact for all required records.

Common misinterpretations

  • Misinterpretation: 'Training only needs to happen at hire.' Reality: §164.530(b)(2)(i) requires training (A) at hire for new workforce members joining after the compliance date, (B) within a reasonable period of time after a material change to the entity's privacy policies or procedures, AND (C) for each workforce member whose functions change in a manner that affects the workforce member's use or disclosure of PHI. OCR has cited entities for failing to retrain after policy updates and role changes. Industry standard and a practical bar: annual refresher training plus event-driven training.
  • Misinterpretation: 'The Privacy Official and the Security Official have to be different people.' Reality: They do not. One person can serve as both Privacy Official (§164.530(a)(1)(i)) and Security Official (§164.308(a)(2)). In small and mid-size practices it is common — and acceptable — to combine the roles in one written designation, provided the individual has the authority, resources, and time to perform both functions. The designation must be in writing.
  • Misinterpretation: 'Sanctions are required only for major intentional misconduct.' Reality: §164.530(e) requires sanctions for workforce members who fail to comply with privacy policies OR the Privacy Rule. The sanction policy must address a graduated response — verbal warning, written warning, retraining, suspension, termination, and referral to law enforcement when warranted — applicable to negligent disclosures, snooping in records, unauthorized access, social-media posts, and any other policy violations. OCR investigators ask to see (a) the written sanction policy and (b) documented evidence of sanctions actually applied. 'We have a policy but never had to use it' is rarely credible in any organization with more than a handful of workforce members.
  • Misinterpretation: 'A complaint process means a phone number in the Notice of Privacy Practices.' Reality: §164.530(d) requires both a mechanism for individuals to make complaints AND documentation of all complaints received and their disposition. OCR-cited gaps include (a) no internal complaint log, (b) complaints received but not investigated, (c) complaints received but no resolution documented, (d) workforce unaware of the complaint contact, and (e) no complaint process for complaints submitted to anyone other than the contact person of record. The complaint log is a required §164.530(j) record retained for 6 years.
  • Misinterpretation: 'Documentation requirements are policy-and-procedure documents only.' Reality: §164.530(j)(2) requires retention for 6 years of policies and procedures, AND any communication required to be in writing under the Privacy Rule, AND any action, activity, or designation required to be documented. That includes Privacy Official designations, training rosters and records, complaint logs and dispositions, sanction actions, mitigation actions, business associate agreements, Notice of Privacy Practices versions and acknowledgments, accounting-of-disclosures requests and responses, access-request decisions, restriction-request decisions, and authorization records. The 6-year clock runs from the later of (a) date of creation or (b) date last in effect — so a policy retired 5 years ago that was in effect for 4 years must be kept 6 years from the retirement date, not 6 years from origination.
  • Misinterpretation: 'Mitigation is a best practice, not a requirement.' Reality: §164.530(f) requires the covered entity to mitigate, to the extent practicable, any harmful effect known to the covered entity of a use or disclosure of PHI in violation of its policies or the Privacy Rule. This is a separate, independent obligation from breach notification (§§164.400-414). Even when a disclosure does not meet the §164.402 breach definition (e.g., low probability of compromise after risk assessment), §164.530(f) still requires mitigation efforts — recovery of disclosed records, notifications to the recipient, internal retraining, technical controls — and OCR expects documentation of what mitigation was performed.

Real enforcement examples

Anonymized from public FMCSA enforcement summaries. Penalty amounts reflect assessed and final settled values where disclosed.

OCR resolution agreement: hospital system paid $2.4M and entered a 2-year corrective action plan after a workforce member shared patient PHI with the media during an unrelated incident. OCR investigation cited §164.530(b) workforce training gaps — staff had received generic HIPAA training but no role-specific or scenario-based training on media interactions and on what counted as PHI in non-clinical conversations — and §164.530(e) sanction-policy gaps, because no documented sanction had been applied at the time of the OCR investigation.

Source: HHS Office for Civil Rights resolution agreements (anonymized pattern; reflects multiple 2020-2024 Privacy Rule enforcement actions)

OCR settlement: regional medical practice paid $100,000 and adopted a 1-year corrective action plan after an OCR complaint investigation found no documented workforce training program, no internal complaint log, and an outdated written privacy policy that did not reflect HITECH and Omnibus Rule changes. The cited violations were §164.530(b), §164.530(d), §164.530(i), and §164.530(j) — administrative-requirements gaps standing alone, without any PHI breach having occurred.

Source: HHS Office for Civil Rights resolution agreements (anonymized pattern; reflects 2018-2023 small-practice Privacy Rule investigations)

How FileFlo handles 45 CFR § 164.530

FileFlo's compliance rule-pack HHS-OCR-45CFR164.530 automatically checks every document you upload against this regulation. Auto-detects document type, parses key fields, sets renewal alerts, and surfaces this section in your audit binder if a gap is found.

Run free audit covering this section →

Already evaluating? Start a 5-day free trial →

Frequently asked questions

How often must HIPAA Privacy Rule workforce training be conducted under 45 CFR 164.530(b)?

45 CFR 164.530(b)(2)(i) requires training on three triggers: (A) for each new member of the workforce within a reasonable period of time after the person joins the workforce; (B) for each member of the workforce whose functions are affected by a material change in policies or procedures, within a reasonable period of time after the material change becomes effective; and (C) for each workforce member whose functions change in a manner that affects the use or disclosure of PHI. There is no explicit calendar interval in the regulation, but OCR guidance, industry standard, and prevailing audit expectation is annual refresher training for every workforce member plus event-driven retraining on the three statutory triggers. Annual training also dovetails with §164.308(a)(5) security awareness training and is commonly delivered in a combined annual session.

When does new-hire HIPAA training have to be delivered under 45 CFR 164.530(b)?

§164.530(b)(2)(i)(A) states 'within a reasonable period of time after the person joins the workforce.' OCR has not set a fixed number of days, but the prevailing practical standard is BEFORE the workforce member is given access to PHI in the course of their duties — and in any event no later than the end of the new-hire orientation period (typically 30 days). Granting PHI access to a workforce member who has not yet completed HIPAA training is a frequently cited finding in OCR investigations. Document the training-completion date and the date PHI access was granted; the first should not be later than the second.

Who counts as a 'workforce member' for purposes of 45 CFR 164.530(b) training?

§160.103 defines workforce as employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity or associate, whether or not they are paid by the covered entity or business associate. This is broader than 'employees' — it includes volunteers, students, interns, contracted clinicians treated as workforce, and temporary staff. Business associate personnel (e.g., a billing-company employee) are NOT the covered entity's workforce — the BA is responsible for training its own workforce, and the BAA under §164.504(e) is how that obligation flows down. Covered entities should maintain a workforce roster separately from employee rosters specifically to scope §164.530(b) training.

Is there a small-practice exception to 45 CFR 164.530?

No. There is no small-practice exception to the HIPAA Privacy Rule administrative requirements. A solo provider must designate a Privacy Official (and may serve in that role personally), train every workforce member including themselves and any staff, have a documented sanction policy, maintain a complaint process, document policies and procedures in writing, and retain records for 6 years. The Privacy Rule scales in complexity — a solo practice's policy manual may be a few pages and its training may be a short annual session — but every §164.530 obligation applies. OCR has imposed five- and six-figure penalties on small practices for missing training records, missing complaint logs, and missing sanction documentation, often discovered during investigations of unrelated patient complaints or small breaches.

What format must 45 CFR 164.530(j) Privacy Rule documentation be kept in?

§164.530(j)(1) requires documentation in written form, which may be electronic, of (i) the policies and procedures provided for in §164.530(i); and (ii) any communication required by the Privacy Rule to be in writing; and (iii) any action, activity, or designation that the Privacy Rule requires to be documented. Electronic records (PDF, LMS exports, SaaS audit logs, version-controlled policy documents) satisfy the 'written' requirement provided they are retrievable, intact, and produced on request. OCR investigators typically expect to receive responsive documents within the response deadline of an OCR request (usually 30 days). Records must be retained for 6 years from the later of date of creation or date last in effect. Inability to produce a required record within the response window is, in OCR practice, often treated the same as the record not existing.

Does 45 CFR 164.530(f) mitigation apply when a disclosure does not meet the §164.402 breach definition?

Yes. §164.530(f) is an independent obligation. It requires the covered entity to mitigate, to the extent practicable, any harmful effect known to the covered entity of a use or disclosure of PHI in violation of its policies or the Privacy Rule — regardless of whether the use or disclosure meets the §164.402 breach definition triggering Breach Notification Rule obligations. A misdirected fax containing limited PHI that is recovered and confirmed destroyed may not be a notifiable breach after a §164.402(2) risk assessment — but the covered entity still has a §164.530(f) duty to take mitigation steps (recovery, recipient notification, retraining the workforce member responsible) and to document those steps. OCR has cited covered entities for failing to mitigate even where notification was not required.

Related regulations

45 CFR 164.50245 CFR 164.50445 CFR 164.52045 CFR 164.52445 CFR 164.30845 CFR 164.31245 CFR 164.31645 CFR 160.30645 CFR 160.404

Author

Chad Griffith

Founder + CEO, FileFlo · Defense + Aviation + healthcare operations background

LinkedIn

Sources + reviewer

Primary source: eCFR.gov — 45 CFR § 164.530

Reviewed by Chad Griffith (Founder + CEO, FileFlo) on

Disclaimer: This page summarizes a federal regulation in plain English. FileFlo is not a law firm; this is not legal advice. The regulation text and primary sources at eCFR.gov are authoritative. Consult qualified counsel for advice specific to your operation.
Back to CFR Navigator