(a)(1) Standard: Personnel designations.
(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
(ii) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by ยง 164.520.
(2) Implementation specification: Personnel designations. A covered entity must document the personnel designations and maintain in written or electronic form for six years.

Audit Inquiry

Has the covered entity designated a privacy official and a contact person consistent with the established performance criterion?
Inquire of management (1) who is responsible for the development and implementation of the privacy policies and procedures; and(2) what person or office is designated to receive privacy complaints.
Obtain and review documentation to determine if the above items are maintained in electronic or written form and retained for a period of six years.