The CE’s Privacy Officer or Security Officer (can be one and the same) is responsible for this. They would also be the focal point in the event of an investigation or audit. Key components might include privacy and security policies and procedures, forms, having business associate agreements in place, and documentation of workforce training.