Security Standards
III. Analysis of, and Responses to,
Public Comments on the Proposed Rule
H. Organizational Requirements (§ 164.314)
We proposed that each health care clearinghouse must comply with
the security standards to ensure all health information and activities
are protected from unauthorized access. If the clearinghouse is
part of a larger organization, then unauthorized access by the larger
organization must be prevented. We also proposed that parties processing
data through a third party would be required to enter into a chain
of trust partner agreement, a contract in which the parties agree
to electronically exchange data and to protect the transmitted data
in accordance with the security standards.
In this final rule, we have adopted the concepts of hybrid and
affiliated entities, as previously defined in § 164.504, and
now defined in § 164.103, and business associates as defined
in § 160.103, to be consistent with the Privacy Rule. General
organizational requirements related to affiliated covered entities
and hybrid entities are now contained in a new § 164.105. The
proposed chain of trust partner agreement has been replaced by the
standards for business associate contracts or other arrangements
and the standards for group health plans. Consistent with the statute
and the policy of the Privacy Rule, this final rule does not require
noncovered entities to comply with the security standards.
1. Health Care Clearinghouses
The proposed rule proposed that if a health care clearinghouse
were part of a larger organization, it would be required to ensure
that all health information pertaining to an individual is protected
from unauthorized access by the larger organization; this statement
closely tracked the statutory language in section 1173(d)(1)(B)
of the Act. Since the point of the statutory language is to ensure
that health care information in the possession of a health care
clearinghouse is not inappropriately accessed by the larger organization
of which it is a part, this final rule implements the statutory
language through the information access management provision of
§ 164.308(a)(4)(ii)(A).
The final rule, at § 164.105, makes the health care component
and affiliated entity standards of the Privacy Rule applicable to
the security standards. Therefore, we have not changes those standards
substantively. In pertaining to the Privacy Rule, we have simply
moved them to a new location in part 164. Any differences between
§ 164.105 and § 164.504(a) through (d) reflects the addition
of requirements specific to the security standards.
The health care component approach was developed in response to
extensive comment received principally on the Privacy Rule. See
65 FR 82502 through 82503 and 82637 through 82640 for a discussion
of the policy concerns underlying the health care component approach.
Since the security standards are intended to support the protection
of electronic information protected by the Privacy Rule, it makes
sense to incorporate organizational requirements that parallel those
required of covered entities by the Privacy Rule. This policy will
also minimize the burden of complying with both rules.
a. Comment: Relative to the following preamble statement
(63 FR 43258): "If the clearinghouse is part of a larger organization,
then security must be imposed to prevent unauthorized access by
the larger organization."
One commenter asked what is considered to be "the larger organization."
For example, if a clearinghouse function occurs in a department
of a larger business entity, will the regulation cover all internal
electronic communication, such as e-mail, within the larger business
and all external electronic communication, such as e-mail with its
owners?
Response: The "larger organization" is the overall
business entity that a clearinghouse would be part of. Under the
Security Rule, the larger organization must assure that the health
care clearinghouse function has instituted measures to ensure only
that electronic protected health information that it processes is
not improperly accessed by unauthorized persons or other entities,
including the larger organization. Internal electronic communication
within the larger organization will not be covered by the rule if
it does not involve the clearinghouse, assuming that it has designated
health care components, of which the health care clearinghouse is
one.
External communication must be protected as sent by the clearinghouse,
but need not be protected once received.
b. Comment: One commenter asked that the first sentence
in § 142.306(b) of the proposed rule, "If a health care
clearinghouse is part of a larger organization, it must assure all
health information is protected from unauthorized access by the
larger organization" be expanded to read, "If a health
care clearinghouse or any other health care entity is part of a
larger organization . . ."
Response: The Act specifically provides, at section 1173(d)(1)(B),
that the Secretary must adopt standards to ensure that a health
care clearinghouse, if part of a larger organization, has policies
and security procedures to protect information from unauthorized
access by the larger organization.
Health care providers and health plans are often part of larger
organizations that are not themselves health care providers or health
plans. The security measures implemented by health plans and covered
health care providers should protect electronic protected health
information in circumstances such as the one identified by the commenter.
Therefore, we agree with the comment that the requirement should
be expanded as suggested by the commenter. In this final rule, those
components of a hybrid entity that are designated as health care
components must comply with the security standards and protect against
unauthorized access with respect to the other components of the
larger entity in the same way as they must deal with separate entities.
2. Business Associate Contracts and Other Arrangements
We proposed that parties processing data through a third party
would be required to enter into a chain of trust partner agreement,
a contract in which the parties agree to electronically exchange
data and to protect the transmitted data. This final rule narrows
the scope of agreements required. It essentially tracks the provisions
in § 164.502(e) and § 164.504(e) of the Privacy Rule,
although appropriate modifications have been made in this rule to
the required elements of the contract.
In this final rule, a contract between a covered entity and a business
associate must provide that the business associate must--(1) implement
safeguards that reasonably and appropriately protect the confidentiality,
integrity, and availability of the electronic protected health information
that it creates, receives, maintains, or transmits on behalf of
the covered entity; (2) ensure that any agent, including a subcontractor,
to whom it provides this information agrees to implement reasonable
and appropriate safeguards; (3) report to the covered entity any
security incident of which it becomes aware; (4) make its policies
and procedures, and documentation required by this subpart relating
to such safeguards, available to the Secretary for purposes of determining
the covered entity's compliance with this subpart; and (5) authorize
termination of the contract by the covered entity if the covered
entity determines that the business associate has violated a material
term of the contract.
When a covered entity and its business associate are both governmental
entities, an "other arrangement" is sufficient. The covered
entity is in compliance with this standard if it enters into a memorandum
of understanding with the business associate that contains terms
that accomplish the objectives of the above-described business associate
contract. However, the covered entity may omit from this memorandum
the termination authorization required by the business associate
contract provisions if this authorization is inconsistent with the
statutory obligations of the covered entity or its business associate.
If other law (including regulations adopted by the covered entity
or its business associate) contains requirements applicable to the
business associate that accomplish the objectives of the above-described
business associate contract, a contract or agreement is not required.
If a covered entity enters into other arrangements with another
governmental entity that is a business associate, such arrangements
may omit provisions equivalent to the termination authorization
required by the business associate contract, if inconsistent with
the statutory obligation of the covered entity or its business associate.
If a business associate is required by law to perform a function
or activity on behalf of a covered entity or to provide a service
described in the definition of business associate in § 160.103
of this subchapter to a covered entity, the covered entity may permit
the business associate to receive, create, maintain, or transmit
electronic protected health information on its behalf to the extent
necessary to comply with the legal mandate without meeting the requirements
of the above-described business associate contract, provided that
the covered entity attempts in good faith to obtain satisfactory
assurances as required by the above described business associate
contract and documents the attempt and the reasons that these assurances
cannot be obtained.
We have added a standard for group health plans that parallels
the provisions of the Privacy Rule. It became apparent during the
course of the security and privacy rulemaking that our original
chain of trust approach was both overly broad in scope and failed
to address appropriately the circumstances of certain covered entities,
particularly the ERISA group health plans. These latter considerations
and the solutions arrived at in the Privacy Rule are described in
detail in the Privacy Rule at 65 FR 82507 through 82509. Because
the purpose of the security standards is in part to reinforce privacy
protections, it makes sense to align the organizational policies
of the two rules. This decision should also make compliance less
burdensome for covered entities than would a decision to have different
organizational requirements for the two sets of rules.
Thus, we have added at § 164.314(b) a standard for group health
plan that tracks the standard at § 164.504(f) very closely.
The purpose of these provisions is to ensure that, except when the
electronic protected health information disclosed to a plan sponsor
is summary health information or enrollment or disenrollment information
as provided for by § 164.504(f), group health plan documents
provide that the plan sponsor will reasonably and appropriately
safeguard electronic protected health information created, received,
maintained or transmitted to or by the plan sponsor on behalf of
the group health plan. The plan documents of the group health plan
must be amended to incorporate provisions to require the plan sponsor
to implement reasonable and appropriate safeguards to protect the
confidentiality, integrity, and availability of the electronic protected
health information that it creates, receives, maintains, or transmits
on behalf of the group health plan; ensure that the adequate separation
required by § 164.504(f)(2)(iii) is supported by reasonable
and appropriate security measures; ensure that any agents, including
a subcontractor, to whom it provides this information agrees to
implement reasonable and appropriate safeguards to protect the information;
report to the group health plan any security incident of which it
becomes aware; and make its policies and procedures and documentation
relating to these safeguards available to the Secretary for purposes
of determining the group health plan's compliance with this subpart.
a. Comment: Several commenters expressed confusion concerning
the applicability of proposed § 142.104 to security.
Response: The proposed preamble included language generally
applicable to most of the proposed standards under HIPAA. Proposed
§ 142.104 concerned general requirements for health plans relative
to processing transactions. We proposed that plans could not refuse
to conduct a transaction as a standard transaction, or delay or
otherwise adversely affect a transaction on the grounds that it
was a standard transaction; health information transmitted and received
in connection with a transaction must be in the form of standard
data elements; and plans conducting transactions through an agent
must ensure that the agent met all the requirements that applied
to the health plan. Except for the statement that a plan's agent
("business associate" in the final rule) must meet the
requirements (which would include security) that apply to the health
plan, this proposed section did not pertain to the security standards
and was addressed in the Transaction Rule.
b. Comment: The majority of comments concerned proposed
rule language stating "the same level of security will be maintained
at all links in the chain . . ." Commenters believed the current
language will have an adverse impact on one of the security standard's
basic premises, which is scalability. It was requested that the
language be changed to indicate that, while appropriate security
must be maintained, all partners do not need to maintain the same
level of security.
A number of commenters expressed some confusion concerning their
responsibility for the security of information once it has passed
from their control to their trading partner's control, and so on
down the trading partner chain. Requests were made that we clarify
that chain of trust partner agreements were really between two parties,
and that, if a trading partner agreement has been entered into,
any given partner would not be responsible, or liable, for the security
of data once it is out of his or her control.
In line with this concern, several commenters were concerned that
they would have some responsibility to ensure the level of security
maintained by their trading partner.
Several commenters believe a chain of trust partner agreement should
not be a security requirement. One commenter stated that because
covered entities must already conform to the regulation requirements,
a "chain of trust" agreement does not add to overall security.
Compliance with the regulation should be sufficient.
Response: We believe the commenters are correct that the
rule as proposed would--(1) not allow for scalability; and (2) would
lead an entity to believe it is responsible, and liable, for making
sure all entities down the line maintain the same level of security.
The confusion here seems to come from the phrase "same level
of security." Our intention was that each trading partner would
maintain reasonable and appropriate safeguards to protect the information.
We did not mean that partners would need to implement the same security
technology or measures and procedures.
We have replaced the proposed "Chain of trust" standard
with a standard for "Business associate contracts and other
arrangements."
When another entity is acting as a business associate of a covered
entity, we require the covered entity to require the other entity
to protect the electronic protected health information that it creates,
receives, maintains or transmits on the covered entity's behalf.
The level of security afforded particular electronic protected health
information should not decrease just because the covered entity
has made the business decision to entrust a business associate with
using or disclosing that information in connection with the performance
of certain functions instead of doing those functions itself. Thus,
the rule below requires covered entities to require their business
associates to implement certain safeguards and take other measures
to ensure that the information is safeguarded (see § 164.308(b)(1)
and § 164.314(a)(1)).
The specific requirements of § 164.314(a)(1) are drawn from
the analogous requirements at 45 CFR 164.504(e) of the Privacy Rule,
although they have been adapted to reflect the objectives and context
of the security standards. Compare, in particular, 45 CFR 164.504(e)(2)(ii)
with § 164.314(a)(1). We have not imported all of the requirements
of 45 CFR 164.504(e), however, as many have no clear analog in the
security context (see, for example, 45 CFR 164.504(e)(2)(i) regarding
permitted and required uses and disclosures made by a business associate).
HHS had previously committed to reconciling its security and privacy
policies regarding business associates (see 65 FR 82643). The close
relationship of many of the organizational requirements in section
§ 164.314 with the analogous requirements of the Privacy Rule
should facilitate the implementation and coordination of security
and privacy policies and procedures by covered entities.
In contrast, when another entity is not acting as a business associate
for the covered entity, but rather is acting in the capacity of
some other sort of trading partner, we do not require the covered
entity to require the other entity to adopt particular security
measures, as previously proposed. This policy is likewise consistent
with the general approach of the Privacy Rule (see the discussion
in the Privacy Rule at 65 FR 82476). The covered entity is free
to negotiate security arrangements with its non-business associate
trading partners, but this rule does not require it to do so.
A similar approach underlies § 164.314(b) below. These provisions
are likewise drawn from, and intended to support, the analogous
privacy protections provided for by 45 CFR 164.504(f) (see the discussion
of § 164.504(f) of the Privacy Rule at 65 FR 82507 through
82509, and 82646 through 82648). As with the business associate
contract provisions, however, they are imported and adapted only
to the extent they make sense in the security context. Thus, for
example, the requirement at § 164.504(f)(2)(ii)(C) prohibits
the plan documents from permitting disclosure of protected health
information to the plan sponsor for employment-related purposes.
As this prohibition goes entirely to the permissibility of a particular
type of disclosure, it has no analog in § 164.314(b).
c. Comment: Several commenters stated that if security features
are determined by agreements established between "trading partners,"
as stated in the proposed regulations, there should be some guidelines
or boundaries for those agreements so that extreme or unusual provisions
are not permitted.
Response: This final rule sets a baseline, or minimum level,
of security measures that must be taken by a covered entity and
stipulates that a business associate must also implement reasonable
and appropriate safeguards. This final rule does not, however, prohibit
a covered entity from employing more stringent security measures
or from requiring a business associate to employ more stringent
security measures. A covered entity may determine that, in order
to do business with it, a business associate must also employ equivalent
measures. This would be a business decision and would not be governed
by the provisions of this rule. Security mechanisms relative to
the transmission of electronic protected health information between
entities may need to be agreed upon by both parties in order to
successfully complete the transmission. However, the determination
of the specific transmission mechanisms and the specific security
features to be implemented remains a business decision.
d. Comment: Several commenters asked whether existing contracts
could be used to meet the requirement for a trading partner agreement,
or does the rule require entry into a new contract specific to this
purpose. Also, the commenters want to know about those whose working
agreements do not involve written contractual agreement: Do they
now need to set up formal agreements and incur the additional expense
that would entail?
Response: This final rule requires written agreements between
covered entities and business associates. New contracts do not have
to be entered into specifically for this purpose, if existing written
contracts adequately address the applicable requirements (or can
be amended to do so).
e. Comment: Several commenters asked whether covered entities
are responsible for the security of all individual
health information sent to them, or only information sent by chain
of trust partners. They also asked if they can refuse to process
standard transactions sent to them in an unsecured fashion. In addition,
they inquired if they can refuse to send secured information in
standard transactions to entities not required by law to secure
the information. One commenter asked if there is a formula for understanding
in any particular set of relationships where the ultimate responsibility
for compliance with the standards would lie.
Response: Pursuant to the Transactions Rule, if a health
plan receives an unsecured standard transaction, it may not refuse
to process that transaction simply because it was sent in an unsecured
manner. The health plan is not responsible under this rule, for
how the transaction was sent to it (unless the transmission was
made by a business associate, in which case different considerations
apply); however, once electronic protected health information is
in the possession of a covered entity, the covered entity is responsible
for the security of the electronic protected health information
received. The covered entity must implement technical security mechanisms
to guard against unauthorized access to electronic protected health
information that is transmitted over an electronic communication
network. In addition, the rule requires the transmitting covered
entity to obtain written assurance from a business associate receiving
the transmission that it will provide an adequate level of protection
to the information. For the business associate provisions, see §
164.308(b) and § 164.314(a) of this final rule.
f. Comment: One commenter asked what security standards
a vendor having access to a covered entity's health information
during development, testing, and repair must meet and wanted to
know whether the rule anticipates having a double layer of security
compliance (one at the user level and one at the vendor level).
If so, the commenter believes this will cause duplication of work.
Response: In the situation described, the vendor would be
acting as a business associate. The covered entity must require
the business associate to implement reasonable and appropriate security
protections of electronic protected health information. This requirement,
however, does not impose detailed requirements for how that level
of protection must be achieved. The resulting flexibility should
permit entities and their business associates to adapt their security
safeguards in ways that make sense in their particular environments.
g. Comment: A number of commenters requested sample contract
language or models of contracts. We also received one comment that
suggested that we should not dictate the contents of contracted
agreements.
Response: We will consider developing sample contract language
as part of our guideline development.
|
