4.10 ACCOUNTABILITY FOR IMPLEMENTATION OF THE FINAL RULES

Both rules require that a specific person or group in a CE be assigned the responsibility of ensuring that provisions of the Security Rule and the Privacy Rule are implemented as required under the final rules and within the specified time frames .

The person or group assigned responsibility for implementing the provisions of the Privacy Rule may or may not be the same person or group who is made responsible for implementing the provisions of the Security Rule.

The goal of the provisions under both rules is to promote accountability i.e. ensure that a specific person or group can be held accountable for the implementation of the provisions rather than an 'amorphous' organization i.e. a single point of responsibility.

The principle is defined as 'Designating a Privacy Official' in the Privacy Rule and 'Assigned Security Responsibility' in the Security Rule. Obviously if the responsibility for the implementation of the provisions of the final Security Rule and the final Privacy Rule is split, it is crucial that the persons and groups responsible work together in a highly collaborative manner to ensure that the provisions of both rules are implemented in a complementary and cohesive manner.

In both cases it is stated that it is understood that the person or group that are given the responsibility for the implementation of the provisions under the final rules may not have the skills or expertise to implement all the provisions on their own and would therefore bring in others to assist them in this endeavor. In the event that they were to do this they would still be responsible for the organization meeting it's obligations under the final rules.