Security Standards
III. Analysis of, and Responses to,
Public Comments on the Proposed Rule
I. Policies and Procedures and Documentation Requirements (§
164.316)
We proposed requiring documented policies and procedures for the
routine and nonroutine receipt, manipulation, storage, dissemination,
transmission, and/or disposal of health information. We proposed
that the documentation be reviewed and updated periodically.
We have emphasized throughout this final rule the scalability allowed
by the security standards. This final rule requires covered entities
to implement policies and procedures that are reasonably designed,
taking into account the size and type of activities of the covered
entity that relate to electronic protected health information, and
requires that the policies and procedures must be documented in
written form, which may be in electronic form. This final rule also
provides that a covered entity may change its policies and procedures
at any time, provided that it documents and implements the changes
in accordance with the applicable requirements. Covered entities
must also document designations, for example, of affiliation between
covered entities (see § 164.105(b)), and other actions, as
required by other provisions of the subpart.
1. Comment: One commenter wanted development of written
policies regarding such things as confidentiality and privacy rights
for access to medical records, and approval of research by a review
board when appropriate.
Response: These issues are covered in the Privacy Rule (65
FR 82462) (see, in particular, §
164.512(i),
§ 164.524, and §
164.530(i)).
2. Comment: One commenter asked if standards will override
agreements that require others to maintain hardcopy documentation
(for example, signature on file) and no longer require submitters
to maintain hardcopy documentation.
Response: The security standards will require a minimum
level of documentation of security practices. Any agreements between
trading partners for the exchange of electronic protected health
information that impose additional documentation requirements will
not be overridden by this final rule.
3. Comment: One commenter stated that there should be a
requirement to document only applications deemed necessary by an
applications and data criticality assessment.
Response: Electronic protected health information must be
afforded security protection under this rule regardless of what
application it resides in. The measures taken to protect that information
must be documented.
4. Comment: One commenter asked how detailed the documentation
must be. Another commenter asked what "kept current" meant.
Response: Documentation must be detailed enough to communicate
the security measures taken and to facilitate periodic evaluations
pursuant to § 164.308(a)(8). While the term "current"
is not in the final rule, this concept has been adopted in the requirement
that documentation must be updated as needed to reflect security
measures currently in effect.
5. Comment: We received one comment concerning review and
updating of implementing documentation suggesting that "periodically"
be changed to "at least annually."
Response: We believe that the requirement should remain
as written, in order to allow individual entities to establish review
and update cycles as deemed necessary. The need for review and update
will vary dependent upon a given entity's size, configuration, environment,
operational changes, and the security measures implemented.
|
