The Organization shall:

  1. Draft and maintain policies, procedures, and processes targeting privacy and security of patient PHI pursuant to all applicable regulations;
  2. Use HIPAA-compliant electronic communication and data storage system for securing patient PHI;
  3. Document that its Notice of Privacy Practices was shared with patients and honor the provisions included in compliance with applicable regulations; and
  4. Assign a Privacy and Security Officer with the appropriate level of access, experience, and expertise responsible for creating, training, and executing policies and procedures that protect the privacy and security of electronic PHI.