A health information organization must implement and enforce policies governing the privacy and security of individually identifiable health information and compliance with this chapter. These policies must:

1. Implement the individual rights prescribed in section 36-3802.

2. Address the individual’s right to opt out of having the individual’s individually identifiable health information accessible through the health information organization pursuant to section 36-3803.

3. Address the content and distribution of the notice of health information practices prescribed in section 36-3804.

4. Implement the restrictions on disclosure of individually identifiable health information through the health information organization as prescribed in section 36-3805.

5. Address security safeguards to protect individually identifiable health information as required by the health insurance portability and accountability act security rule (Title 45 of the Code of Federal Regulations, Part 164, subpart C).

6. Prescribe the appointment and responsibilities of a person or persons who have responsibility for maintaining privacy and security procedures for the health information organization.

7. Require training of each employee and agent of the health information organization about the health information organization’s policies, including the need to maintain the privacy and security of individually identifiable health information and the penalties for the unauthorized access, release, transfer, use or disclosure of individually identifiable health information. The health information organization must initially provide this training before an employee or agent may have access to individually identifiable health information available through the health information organization, and at a later time as reasonable and appropriate in accordance with the training implementation specifications required by the health insurance portability and accountability act privacy rule (45 C.F.R. § 164.530(b)).