Security Standards

(as published in the Federal Register,
February 20, 2003)

Regulation Effective Date: April 21, 2003

Compliance Date: April 20, 2005 for most covered entities
(April 20, 2006 for small health plans)
per § 164.318(a)(1) of the regulation text

HHS SUMMARY: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

CMS' HIPAA Security Series of Educational Papers:

1. Security 101 for Covered Entities (PDF)
2. Security Standards - Administrative Safeguards (PDF)
3. Security Standards - Physical Safeguards (PDF)
4. Security Standards - Technical Safeguards (PDF)
5. Security Standards - Organizational, Policies and Procedures, and Documentation Requirements (PDF)
6. Basics of Risk Analysis & Risk Management
7. Implementation for the Small Provider

---

Related NIST publications:

• SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (PDF)
• SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500-172), April 1998, broken down into 3 parts:
  • Part 1 - document (PDF)
  • Part 2 - Appendix A-D (PDF)
  • Part 3 - Appendix E (PDF)
• SP 800-26 Security Self Assessment Guide for IT Systems (PDF)
• SP 800-30 Risk Management Guide for Information Systems (PDF)
• SP 800-33 Underlying Technical Models for Information Technology Security, December 2001 (PDF)
• SP 800-50 Building an IT Security Awareness and Training Program (PDF)
• SP 800-55 Security Metrics Guide for IT Systems(PDF)
• SP 800-66 Introductory Resource Guide for Implementing the HIPAA Security Rule (PDF)

PREAMBLE:

• Summary and Introduction
• I. Background
• II. General Overview of the Provisions of the Proposed Rule
• III. Analysis of, and Responses to, Public Comments on the Proposed Rule
  • A. General Issues
  • B. Applicability (§ 164.302)
  • C. Transition to the Final Rule
  • D. General Rules (§ 164.306)
  • E. Administrative Safeguards (§ 164.308)
  • 1. Security management process (§ 164.308(a)(1)(i))
  • 2. Assigned Security Responsibility (§ 164.308(a)(2))
  • 3. Workforce Security (§ 164.308(a)(3)(i))
  • 4. Information Access Management (§ 164.308(a)(4))
  • 5. Security Awareness and Training (§ 164.308(a)(5)(i))
  • 6. Security Incident Procedures (§ 164.308(a)(6))
  • 7. Contingency Plan (§ 164.308(a)(7)(i))
  • 8. Evaluation (§ 164.308(a)(8))
  • 8(sic). Business Associate Contracts or Other Arrangements (§ 164.308(b)(1))
  • 9. Proposed Requirements Not Adopted in This Final Rule
  • F. Physical Safeguards (§ 164.310)
  • G. Technical Safeguards (§ 164.312)
  • H. Organizational Requirements (§ 164.314)
  • I. Policies and Procedures and Documentation Requirements (§ 164.316)
  • J. Compliance Dates for Initial Implementation (§ 164.318)
  • K. Appendix
  • L. Miscellaneous Issues
  • M. Proposed Impact Analysis
• IV. Regulatory Impact Analysis
  • A. Overall Impact
  • B. Anticipated Effects
  • C. Changes from the 1998 Impact Analysis
  • D. Guiding Principles for Standard Selection
  • E. Affected Entities
  • F. Factors in Establishing the Security Standard
  • G. Alternatives Considered
• V. Collection of Information Requirements
• IV(sic). Provisions of the Final Regulation

REGULATION TEXT:

• PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
  • 1. Authority citation for part 160
  • 2. § 160.103 Definitions
• PART 162--ADMINISTRATIVE REQUIREMENTS
  • 1. Authority citation for part 162
  • 2. § 162.103 Definition
• PART 164--SECURITY AND PRIVACY
  • 1. Authority citation for part 164
  • 2. § 164.103 Definitions
  • 3. § 164.104 Applicability.
  • 4. § 164.105 Organizational requirements.
  • 5. Subpart C--Security Standards for the Protection of Electronic Protected Health Information

    Appendix A to Subpart C of Part 164:

    • Security Standards: Matrix
      • ADMINISTRATIVE SAFEGUARDS
      • 287 PHYSICAL SAFEGUARDS
      • TECHNICAL SAFEGUARDS (see § 164.312)
        
        
  • 6. § 164.500 Amended
  • 7. § 164.501 Amended
  • 8. §164.504 Amended

View the proposed rule.

HIPAA Primer

FINAL:

Security

Transaction
Modifications

Transactions

Privacy
(Modified 8/02)

Privacy (Original)

Employer ID

Provider ID

Enforcement

HITS

Electronic Medicare Claims

PROPOSED:

Claims Attachments

Electronic Signature

Schedule for Reg Publication/
Compliance Calendar