List three things a covered entity must do in order to comply with the provisions of the HIPAA Privacy Rule.

What will be an ideal response?

Develop and implement written privacy policies and procedures for the use, release, or distribution, and request of protected health information (PHI).
Designate a privacy official/officer who is responsible for enforcing the policies and procedures.
Develop and implement policies and procedures that limit access and use of protected health information based on the specific roles of workforce members (that is, employees, volunteers, trainees, and other persons under the direct control of the agency).
Train all workforce members about its privacy policies and procedures.
Apply appropriate sanctions against workforce members who violate privacy policies and procedures.
Maintain reasonable and appropriate safeguards to prevent violations of privacy policies and procedures (that is, securing medical records with lock and key or pass code).
Provide a written notice of the agency's privacy practices related to the use and disclosure of protected health information to individuals who receive services from the agency.
Develop procedures that inform an individual how to submit a complaint related to violations or suspected violations of privacy policies and procedures.
Identify the contact person or office that is responsible for receiving the complaints.
Develop policies and procedures that tell an individual how to review, obtain a copy of, and amend his/her protected health information.