textCovered entities have a duty to mitigate, "to the extent practicable," any harmful effects due to uses or disclosures of protected health information (PHI) in violation of the regulations or their own policies.

DHHS has noted in commentary that the duty to mitigate arises only when the covered entity "has actual knowledge of harm." The covered entity is required to take "reasonable steps" to reduce deleterious effects of those actions about which it knows.

Covered entities are not required to monitor the practices of their business associates in detail. However, entities are obligated to take reasonable steps to respond to any problems at associates of which they become aware.

Obviously there is an obligation for a covered entity to undertake reasonably close monitoring of the activities of members of its workforce.

See also:

• 45 CFR 164.530(f)

Last modified: 14-May-2005 [RC]