Security Standards
Regulation Text
For the reasons set forth in the preamble, the Department of Health
and Human Services amends title 45, subtitle A, subchapter C, parts
160, 162, and 164 as set forth below:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part
160 continues to read as follows:
Authority: Sec. 1171 through 1179 of the Social Security Act, (42
U.S.C.1320d-1329d-8) as added by sec. 262 of Pub. L. 104-191, 110
Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C. 1320d-2(note)).
2. In § 160.103, the definitions
of "disclosure", "electronic media", "electronic
protected health information," "individual," "organized
health care arrangement", "protected health information,"
and "use" are added in alphabetical order to read as follows:
§ 160.103 Definitions.
* * * * *
Disclosure means the release, transfer, provision of, access
to, or divulging in any other manner of information outside the
entity holding the information.
* * * * *
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card;
or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example,
the internet (wide-open), extranet (using internet technology to
link a business with information accessible only to collaborating
parties), leased lines, dial-up lines, private networks, and the
physical movement of removable/transportable electronic storage
media. Certain transmissions, including of paper, via facsimile,
and of voice, via telephone, are not considered to be transmissions
via electronic media, because the information being exchanged did
not exist in electronic form before the transmission.
Electronic protected health information means information that
comes within paragraphs (1)(i) or (1)(ii) of the definition of protected
health information as specified in this section.
* * * * *
Individual means the person who is the subject of protected
health information.
* * * * *
Organized health care arrangement means:
(1) A clinically integrated care setting in which individuals typically
receive health care from more than one health care provider;
(2) An organized system of health care in which more than one covered
entity participates and in which the participating covered entities:
(i) Hold themselves out to the public as participating in a joint
arrangement; and
(ii) Participate in joint activities that include at least one
of the following:
(A) Utilization review, in which health care decisions by participating
covered entities are reviewed by other participating covered
entities or by a third party on their behalf;
(B) Quality assessment and improvement activities, in which
treatment provided by participating covered entities is assessed
by other participating covered entities or by a third party
on their behalf; or
(C) Payment activities, if the financial risk for delivering
health care is shared, in part or in whole, by participating
covered entities through the joint arrangement and if protected
health information created or received by a covered entity is
reviewed by other participating covered entities or by a third
party on their behalf for the purpose of administering the sharing
of financial risk.
(3) A group health plan and a health insurance issuer or HMO with
respect to such group health plan, but only with respect to protected
health information created or received by such health insurance
issuer or HMO that relates to individuals who are or who have been
participants or beneficiaries in such group health plan;
(4) A group health plan and one or more other group health plans
each of which are maintained by the same plan sponsor; or
(5) The group health plans described in paragraph (4) of this definition
and health insurance issuers or HMOs with respect to such group
health plans, but only with respect to protected health information
created or received by such health insurance issuers or HMOs that
relates to individuals who are or have been participants or beneficiaries
in any of such group health plans.
Protected health information means individually identifiable
health information:
(1) Except as provided in paragraph (2) of this definition, that
is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable
health information in:
(i) Education records covered by the Family Educational Rights
and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role
as employer.
* * * * *
Use means, with respect to individually identifiable health
information, the sharing, employment, application, utilization,
examination, or analysis of such information within an entity that
maintains such information.
* * * * *
PART 162--ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part
162 is revised to read as follows:
Authority: Secs. 1171 through 1179 of the Social Security Act (42
U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191,
110 Stat. 2021-2031, and sec. 264 of Pub. L. 104-191, 110 Stat.
2033-2034 (42 U.S.C. 1320d-2 (note)).
§ 162.103 [Amended]
2. In § 162.103, the definition
of "electronic media" is removed.
PART 164--SECURITY AND PRIVACY
1. The authority citation for part
164 is revised to read as follows:
Authority: Secs. 1171 through 1179 of the Social Security Act (42
U.S.C. 1320d-1320d-8), as added by sec. 262 of Pub. L. 104-191,
110 Stat. 2021-2031, and 42 U.S.C. 1320d-2 and 1320d-4, sec. 264
of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).
2. A new § 164.103 is added
to read as follows:
§ 164.103 Definitions.
As used in this part, the following terms have the following meanings:
Common control exists if an entity has the power, directly
or indirectly, significantly to influence or direct the actions
or policies of another entity.
Common ownership exists if an entity or entities possess
an ownership or equity interest of 5 percent or more in another
entity.
Covered functions means those functions of a covered entity
the performance of which makes the entity a health plan, health
care provider, or health care clearinghouse.
Health care component means a component or combination of
components of a hybrid entity designated by the hybrid entity in
accordance with § 164.105(a)(2)(iii)(C).
Hybrid entity means a single legal entity:
(1) That is a covered entity;
(2) Whose business activities include both covered and non-covered
functions; and
(3) That designates health care components in accordance with
paragraph § 164.105(a)(2)(iii)(C).
Plan sponsor is defined as defined at section 3(16)(B) of
ERISA, 29 U.S.C. 1002(16)(B).
Required by law means a mandate contained in law that compels
an entity to make a use or disclosure of protected health information
and that is enforceable in a court of law. Required by law includes,
but is not limited to, court orders and court-ordered warrants;
subpoenas or summons issued by a court, grand jury, a governmental
or tribal inspector general, or an administrative body authorized
to require the production of information; a civil or an authorized
investigative demand; Medicare conditions of participation with
respect to health care providers participating in the program; and
statutes or regulations that require the production of information,
including statutes or regulations that require such information
if payment is sought under a government program providing public
benefits.
3. Section 164.104 is revised to
read as follows:
§ 164.104 Applicability.
(a) Except as otherwise provided, the standards, requirements,
and implementation specifications adopted under this part apply
to the following entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction covered by
this subchapter.
(b) When a health care clearinghouse creates or receives protected
health information as a business associate of another covered entity,
or other than as a business associate of a covered entity, the clearinghouse
must comply with § 164.105 relating to organizational requirements
for covered entities, including the designation of health care components
of a covered entity.
4. A new § 164.105 is added
to read as follows:
§ 164.105 Organizational requirements.
(a)(1) Standard: Health care component. If a covered entity is
a hybrid entity, the requirements of subparts C and E of this part,
other than the requirements of this section, § 164.314, and
§ 164.504, apply only to the health care component(s) of the
entity, as specified in this section.
(2) Implementation specifications:
(i) Application of other provisions. In applying a provision
of subparts C and E of this part, other than the requirements
of this section, § 164.314, and § 164.504, to a hybrid
entity:
(A) A reference in such provision to a "covered entity"
refers to a health care component of the covered entity;
(B) A reference in such provision to a "health plan,"
"covered health care provider," or "health care
clearinghouse," refers to a health care component of the
covered entity if such health care component performs the functions
of a health plan, health care provider, or health care clearinghouse,
as applicable;
(C) A reference in such provision to "protected health
information" refers to protected health information that
is created or received by or on behalf of the health care component
of the covered entity; and
(D) A reference in such provision to "electronic protected
health information" refers to electronic protected health
information that is created, received, maintained, or transmitted
by or on behalf of the health care component of the covered
entity.
(ii) Safeguard requirements. The covered entity that is a hybrid
entity must ensure that a health care component of the entity
complies with the applicable requirements of this section and
subparts C and E of this part. In particular, and without limiting
this requirement, such covered entity must ensure that:
(A) Its health care component does not disclose protected health
information to another component of the covered entity in circumstances
in which subpart E of this part would prohibit such disclosure
if the health care component and the other component were separate
and distinct legal entities;
(B) Its health care component protects electronic protected
health information with respect to another component of the
covered entity to the same extent that it would be required
under subpart C of this part to protect such information if
the health care component and the other component were separate
and distinct legal entities;
(C) A component that is described by paragraph (a)(2)(iii)(C)(2)
of this section does not use or disclose protected health information
that it creates or receives from or on behalf of the health
care component in a way prohibited by subpart E of this part;
(D) A component that is described by paragraph (a)(2)(iii)(C)(2)
of this section that creates, receives, maintains, or transmits
electronic protected health information on behalf of the health
care component is in compliance with subpart C of this part;
and
(E) If a person performs duties for both the health care component
in the capacity of a member of the workforce of such component
and for another component of the entity in the same capacity
with respect to that component, such workforce member must not
use or disclose protected health information created or received
in the course of or incident to the member's work for the health
care component in a way prohibited by subpart E of this part.
(iii) Responsibilities of the covered entity. A covered entity
that is a hybrid entity has the following responsibilities:
(A) For purposes of subpart C of part 160 of this subchapter,
pertaining to compliance and enforcement, the covered entity
has the responsibility of complying with subpart E of this part.
(B) The covered entity is responsible for complying with §
164.316(a) and § 164.530(i), pertaining to the implementation
of policies and procedures to ensure compliance with applicable
requirements of this section and subparts C and E of this part,
including the safeguard requirements in paragraph (a)(2)(ii)
of this section.
(C) The covered entity is responsible for designating the components
that are part of one or more health care components of the covered
entity and documenting the designation in accordance with paragraph
(c) of this section, provided that, if the covered entity designates
a health care component or components, it must include any component
that would meet the definition of covered entity if it were
a separate legal entity. Health care component(s) also may include
a component only to the extent that it performs:
(1) Covered functions; or
(2) Activities that would make such component a business
associate of a component that performs covered functions if
the two components were separate legal entities.
(b)(1) Standard: Affiliated covered entities. Legally separate
covered entities that are affiliated may designate themselves as
a single covered entity for purposes of subparts C and E of this
part.
(2) Implementation specifications:
(i) Requirements for designation of an affiliated covered entity.
(A) Legally separate covered entities may designate themselves
(including any health care component of such covered entity)
as a single affiliated covered entity, for purposes of subparts
C and E of this part, if all of the covered entities designated
are under common ownership or control.
(B) The designation of an affiliated covered entity must be
documented and the documentation maintained as required by paragraph
(c) of this section.
(ii) Safeguard requirements. An affiliated covered entity must
ensure that:
(A) The affiliated covered entity's creation, receipt, maintenance,
or transmission of electronic protected health information complies
with the applicable requirements of subpart C of this part;
(B) The affiliated covered entity's use and disclosure of protected
health information comply with the applicable requirements of
subpart E of this part; and
(C) If the affiliated covered entity combines the functions
of a health plan, health care provider, or health care clearinghouse,
the affiliated covered entity complies with § 164.308(a)(4)(ii)(A)
and § 164.504(g), as applicable.
(c)(1) Standard: Documentation. A covered entity must maintain
a written or electronic record of a designation as required by paragraphs
(a) or (b) of this section.
(2) Implementation specification: Retention period. A covered entity
must retain the documentation as required by paragraph (c)(1) of
this section for 6 years from the date of its creation or the date
when it last was in effect, whichever is later.
5. A new subpart C is added to
part 164 to read as follows:
Subpart C--Security Standards for the Protection of Electronic
Protected Health Information
Sec. 164.302 Applicability.
164.304 Definitions.
164.306 Security standards: General rules.
164.308 Administrative safeguards.
164.310 Physical safeguards.
164.312 Technical safeguards.
164.314 Organizational requirements.
164.316 Policies and procedures and documentation requirements.
164.318 Compliance dates for the initial implementation of the
security standards.
Appendix A to Subpart C of Part 164-Security Standards: Matrix
Authority: 42 U.S.C. 1320d-2 and 1320d-4.
§ 164.302 Applicability.
A covered entity must comply with the applicable standards, implementation
specifications, and requirements of this subpart with respect to
electronic protected health information.
§ 164.304 Definitions.
As used in this subpart, the following terms have the following
meanings:
Access means the ability or the means necessary to read,
write, modify, or communicate data/information or otherwise use
any system resource. (This definition applies to "access"
as used in this subpart, not as used in subpart E of this part.)
Administrative safeguards are administrative actions, and
policies and procedures, to manage the selection, development, implementation,
and maintenance of security measures to protect electronic protected
health information and to manage the conduct of the covered entity's
workforce in relation to the protection of that information.
Authentication means the corroboration that a person is
the one claimed.
Availability means the property that data or information
is accessible and useable upon demand by an authorized person.
Confidentiality means the property that data or information
is not made available or disclosed to unauthorized persons or processes.
Encryption means the use of an algorithmic process to transform
data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key.
Facility means the physical premises and the interior and
exterior of a building(s).
Information system means an interconnected set of information
resources under the same direct management control that shares common
functionality.
A system normally includes hardware, software, information,
data, applications, communications, and people.
Integrity means the property that data or information have
not been altered or destroyed in an unauthorized manner.
Malicious software means software, for example, a virus,
designed to damage or disrupt a system.
Password means confidential authentication information composed
of a string of characters.
Physical safeguards are physical measures, policies, and
procedures to protect a covered entity's electronic information
systems and related buildings and equipment, from natural and environmental
hazards, and unauthorized intrusion.
Security or Security measures encompass all of the
administrative, physical, and technical safeguards in an information
system.
Security incident means the attempted or successful unauthorized
access, use, disclosure, modification, or destruction of information
or interference with system operations in an information system.
Technical safeguards means the technology and the policy
and procedures for its use that protect electronic protected health
information and control access to it.
User means a person or entity with authorized access.
Workstation means an electronic computing device, for example,
a laptop or desktop computer, or any other device that performs
similar functions, and electronic media stored in its immediate
environment.
§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of
all electronic protected health information the covered entity
creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards
to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures
of such information that are not permitted or required under subpart
E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities may use any security measures that allow
the covered entity to reasonably and appropriately implement the
standards and implementation specifications as specified in this
subpart.
(2) In deciding which security measures to use, a covered entity
must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware,
and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to
electronic protected health information.
(c) Standards. A covered entity must comply with the standards
as provided in this section and in § 164.308, § 164.310,
§ 164.312, § 164.314, and § 164.316 with respect
to all electronic protected health information.
(d) Implementation specifications.
In this subpart:
(1) Implementation specifications are required or addressable.
If an implementation specification is required, the word "Required"
appears in parentheses after the title of the implementation specification.
If an implementation specification is addressable, the word "Addressable"
appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310,
§ 164.312, § 164.314, or § 164.316 includes required
implementation specifications, a covered entity must implement
the implementation specifications.
(3) When a standard adopted in § 164.308, § 164.310,
§ 164.312, § 164.314, or § 164.316 includes addressable
implementation specifications, a covered entity must--
(i) Assess whether each implementation specification is a reasonable
and appropriate safeguard in its environment, when analyzed
with reference to the likely contribution to protecting the
entity's electronic protected health information; and
(ii) As applicable to the entity--
(A) Implement the implementation specification if reasonable
and appropriate; or
(B) If implementing the implementation specification is not
reasonable and appropriate--
(1) Document why it would not be reasonable and appropriate
to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable
and appropriate.
(e) Maintenance. Security measures implemented to comply with standards
and implementation specifications adopted under § 164.105 and
this subpart must be reviewed and modified as needed to continue
provision of reasonable and appropriate protection of electronic
protected health information as described at § 164.316.
§ 164.308 Administrative safeguards.
(a) A covered entity must, in accordance with § 164.306:
(1)(i) Standard: Security management process. Implement policies
and procedures to prevent, detect, contain, and correct security
violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate
and thorough assessment of the potential risks and vulnerabilities
to the confidentiality, integrity, and availability of electronic
protected health information held by the covered entity.
(B) Risk management (Required). Implement security
measures sufficient to reduce risks and vulnerabilities to
a reasonable and appropriate level to comply with § 164.306(a).
(C) Sanction policy (Required). Apply appropriate
sanctions against workforce members who fail to comply with
the security policies and procedures of the covered entity.
(D) Information system activity review (Required).
Implement procedures to regularly review records of information
system activity, such as audit logs, access reports, and security
incident tracking reports.
(2) Standard: Assigned security responsibility. Identify the
security official who is responsible for the development and implementation
of the policies and procedures required by this subpart for the
entity.
(3)(i) Standard: Workforce security. Implement policies and procedures
to ensure that all members of its workforce have appropriate access
to electronic protected health information, as provided under
paragraph (a)(4) of this section, and to prevent those workforce
members who do not have access under paragraph (a)(4) of this
section from obtaining access to electronic protected health information.
(ii) Implementation specifications:
(A) Authorization and/or supervision (Addressable).
Implement procedures for the authorization and/or supervision
of workforce members who work with electronic protected health
information or in locations where it might be accessed.
(B) Workforce clearance procedure (Addressable). Implement
procedures to determine that the access of a workforce member
to electronic protected health information is appropriate.
(C) Termination procedures (Addressable). Implement
procedures for terminating access to electronic protected
health information when the employment of a workforce member
ends or as required by determinations made as specified in
paragraph (a)(3)(ii)(B) of this section.
(4)(i) Standard: Information access management. Implement policies
and procedures for authorizing access to electronic protected
health information that are consistent with the applicable requirements
of subpart E of this part.
(ii) Implementation specifications:
(A) Isolating health care clearinghouse functions (Required).
If a health care clearinghouse is part of a larger organization,
the clearinghouse must implement policies and procedures that
protect the electronic protected health information of the
clearinghouse from unauthorized access by the larger organization.
(B) Access authorization (Addressable). Implement
policies and procedures for granting access to electronic
protected health information, for example, through access
to a workstation, transaction, program, process, or other
mechanism.
(C) Access establishment and modification (Addressable).
Implement policies and procedures that, based upon the entity's
access authorization policies, establish, document, review,
and modify a user's right of access to a workstation, transaction,
program, or process.
(5)(i) Standard: Security awareness and training. Implement a
security awareness and training program for all members of its
workforce (including management).
(ii) Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security
updates.
(B) Protection from malicious software (Addressable).
Procedures for guarding against, detecting, and reporting
malicious software.
(C) Log-in monitoring (Addressable). Procedures for
monitoring log-in attempts and reporting discrepancies.
(D) Password management (Addressable). Procedures
for creating, changing, and safeguarding passwords.
(6)(i) Standard: Security incident procedures. Implement policies
and procedures to address security incidents.
(ii) Implementation specification: Response and Reporting (Required).
Identify and respond to suspected or known security incidents;
mitigate, to the extent practicable, harmful effects of security
incidents that are known to the covered entity; and document
security incidents and their outcomes.
(7)(i) Standard: Contingency plan. Establish (and implement as
needed) policies and procedures for responding to an emergency
or other occurrence (for example, fire, vandalism, system failure,
and natural disaster) that damages systems that contain electronic
protected health information.
(ii) Implementation specifications:
(A) Data backup plan (Required). Establish and implement
procedures to create and maintain retrievable exact copies
of electronic protected health information.
(B) Disaster recovery plan (Required). Establish (and implement
as needed) procedures to restore any loss of data.
(C) Emergency mode operation plan (Required). Establish (and
implement as needed) procedures to enable continuation of
critical business processes for protection of the security
of electronic protected health information while operating
in emergency mode.
(D) Testing and revision procedures (Addressable). Implement
procedures for periodic testing and revision of contingency
plans.
(E) Applications and data criticality analysis (Addressable).
Assess the relative criticality of specific applications and
data in support of other contingency plan components.
(8) Standard: Evaluation. Perform a periodic technical and nontechnical
evaluation, based initially upon the standards implemented under
this rule and subsequently, in response to environmental or operational
changes affecting the security of electronic protected health
information, that establishes the extent to which an entity's
security policies and procedures meet the requirements of this
subpart.
(b)(1) Standard: Business associate contracts and other arrangements.
A covered entity, in accordance with § 164.306, may permit
a business associate to create, receive, maintain, or transmit electronic
protected health information on the covered entity's behalf only
if the covered entity obtains satisfactory assurances, in accordance
with § 164.314(a) that the business associate will appropriately
safeguard the information.
(2) This standard does not apply with respect to--
(i) The transmission by a covered entity of electronic protected
health information to a health care provider concerning the treatment
of an individual.
(ii) The transmission of electronic protected health information
by a group health plan or an HMO or health insurance issuer on
behalf of a group health plan to a plan sponsor, to the extent
that the requirements of § 164.314(b) and § 164.504(f)
apply and are met; or
(iii) The transmission of electronic protected health information
from or to other agencies providing the services at § 164.502(e)(1)(ii)(C),
when the covered entity is a health plan that is a government
program providing public benefits, if the requirements of §
164.502(e)(1)(ii)(C) are met.
(3) A covered entity that violates the satisfactory assurances
it provided as a business associate of another covered entity will
be in noncompliance with the standards, implementation specifications,
and requirements of this paragraph and § 164.314(a).
(4) Implementation specifications: Written contract or other arrangement
(Required). Document the satisfactory assurances required by paragraph
(b)(1) of this section through a written contract or other arrangement
with the business associate that meets the applicable requirements
of § 164.314(a).
§ 164.310 Physical safeguards.
A covered entity must, in accordance with § 164.306:
(a)(1) Standard: Facility access controls. Implement policies and
procedures to limit physical access to its electronic information
systems and the facility or facilities in which they are housed,
while ensuring that properly authorized access is allowed.
(2) Implementation specifications:
(i) Contingency operations (Addressable). Establish (and implement
as needed) procedures that allow facility access in support of
restoration of lost data under the disaster recovery plan and
emergency mode operations plan in the event of an emergency.
(ii) Facility security plan (Addressable). Implement policies
and procedures to safeguard the facility and the equipment therein
from unauthorized physical access, tampering, and theft.
(iii) Access control and validation procedures (Addressable).
Implement procedures to control and validate a person's access
to facilities based on their role or function, including visitor
control, and control of access to software programs for testing
and revision.
(iv) Maintenance records (Addressable). Implement policies and
procedures to document repairs and modifications to the physical
components of a facility which are related to security (for example,
hardware, walls, doors, and locks).
(b) Standard: Workstation use. Implement policies and procedures
that specify the proper functions to be performed, the manner in
which those functions are to be performed, and the physical attributes
of the surroundings of a specific workstation or class of workstation
that can access electronic protected health information.
(c) Standard: Workstation security. Implement physical safeguards
for all workstations that access electronic protected health information,
to restrict access to authorized users.
(d)(1) Standard: Device and media controls. Implement policies
and procedures that govern the receipt and removal of hardware and
electronic media that contain electronic protected health information
into and out of a facility, and the movement of these items within
the facility.
(2) Implementation specifications:
(i) Disposal (Required). Implement policies and procedures to
address the final disposition of electronic protected health information,
and/or the hardware or electronic media on which it is stored.
(ii) Media re-use (Required). Implement procedures for removal
of electronic protected health information from electronic media
before the media are made available for re-use.
(iii) Accountability (Addressable). Maintain a record of the
movements of hardware and electronic media and any person responsible
therefore.
(iv) Data backup and storage (Addressable). Create a retrievable,
exact copy of electronic protected health information, when needed,
before movement of equipment.
§ 164.312 Technical safeguards.
A covered entity must, in accordance with § 164.306:
(a)(1) Standard: Access control. Implement technical policies and
procedures for electronic information systems that maintain electronic
protected health information to allow access only to those persons
or software programs that have been granted access rights as specified
in § 164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name
and/or number for identifying and tracking user identity.
(ii) Emergency access procedure (Required). Establish (and implement
as needed) procedures for obtaining necessary electronic protected
health information during an emergency.
(iii) Automatic logoff (Addressable). Implement electronic
procedures that terminate an electronic session after a predetermined
time of inactivity.
(iv) Encryption and decryption (Addressable). Implement
a mechanism to encrypt and decrypt electronic protected health
information.
(b) Standard: Audit controls. Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information
systems that contain or use electronic protected health information.
(c)(1) Standard: Integrity. Implement policies and procedures to
protect electronic protected health information from improper alteration
or destruction.
(2) Implementation specification: Mechanism to authenticate electronic
protected health information (Addressable). Implement electronic
mechanisms to corroborate that electronic protected health information
has not been altered or destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures
to verify that a person or entity seeking access to electronic protected
health information is the one claimed.
(e)(1) Standard: Transmission security. Implement technical security
measures to guard against unauthorized access to electronic protected
health information that is being transmitted over an electronic
communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security
measures to ensure that electronically transmitted electronic
protected health information is not improperly modified without
detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to
encrypt electronic protected health information whenever deemed
appropriate.
§ 164.314 Organizational requirements.
(a)(1) Standard: Business associate contracts or other arrangements.
(i) The contract or other arrangement between the covered entity
and its business associate required by
§ 164.308(b) must meet the requirements of paragraph (a)(2)(i)
or (a)(2)(ii) of this section, as applicable.
(ii) A covered entity is not in compliance with the standards
in § 164.502(e) and paragraph (a) of this section if the
covered entity knew of a pattern of an activity or practice of
the business associate that constituted a material breach or violation
of the business associate's obligation under the contract or other
arrangement, unless the covered entity took reasonable steps to
cure the breach or end the violation, as applicable, and, if such
steps were unsuccessful.
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to
the Secretary.
(2) Implementation specifications (Required).
(i) Business associate contracts. The contract between a covered
entity and a business associate must provide that the business
associate will--
(A) Implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality,
integrity, and availability of the electronic protected health
information that it creates, receives, maintains, or transmits
on behalf of the covered entity as required by this subpart;
(B) Ensure that any agent, including a subcontractor, to whom
it provides such information agrees to implement reasonable
and appropriate safeguards to protect it;
(C) Report to the covered entity any security incident of which
it becomes aware;
(D) Authorize termination of the contract by the covered entity,
if the covered entity determines that the business associate
has violated a material term of the contract.
(ii) Other arrangements.
(A) When a covered entity and its business associate are both
governmental entities, the covered entity is in compliance with
paragraph (a)(1) of this section, if--
(1) It enters into a memorandum of understanding with the
business associate that contains terms that accomplish the
objectives of paragraph (a)(2)(i) of this section; or
(2) Other law (including regulations adopted by the covered
entity or its business associate) contains requirements applicable
to the business associate that accomplish the objectives of
paragraph (a)(2)(i) of this section.
(B) If a business associate is required by law to perform a
function or activity on behalf of a covered entity or to provide
a service described in the definition of business associate
as specified in § 160.103 of this subchapter to a covered
entity, the covered entity may permit the business associate
to create, receive, maintain, or transmit electronic protected
health information on its behalf to the extent necessary to
comply with the legal mandate without meeting the requirements
of paragraph (a)(2)(i) of this section, provided that the covered
entity attempts in good faith to obtain satisfactory assurances
as required by paragraph (a)(2)(ii)(A) of this section, and
documents the attempt and the reasons that these assurances
cannot be obtained.
(C) The covered entity may omit from its other arrangements
authorization of the termination of the contract by the covered
entity, as required by paragraph (a)(2)(i)(D) of this section
if such authorization is inconsistent with the statutory obligations
of the covered entity or its business associate.
(b)(1) Standard: Requirements for group health plans. Except when
the only electronic protected health information disclosed to a
plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or
(iii), or as authorized under § 164.508, a group health plan
must ensure that its plan documents provide that the plan sponsor
will reasonably and appropriately safeguard electronic protected
health information created, received, maintained, or transmitted
to or by the plan sponsor on behalf of the group health plan.
(2) Implementation specifications (Required). The plan documents
of the group health plan must be amended to incorporate provisions
to require the plan sponsor to--
(i) Implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality,
integrity, and availability of the electronic protected health
information that it creates, receives, maintains, or transmits
on behalf of the group health plan;
(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii)
is supported by reasonable and appropriate security measures;
(iii) Ensure that any agent, including a subcontractor, to whom
it provides this information agrees to implement reasonable and
appropriate security measures to protect the information; and
(iv) Report to the group health plan any security incident of
which it becomes aware.
§ 164.316 Policies and procedures and documentation requirements.
A covered entity must, in accordance with § 164.306:
(a) Standard: Policies and procedures. Implement reasonable and
appropriate policies and procedures tobcomply with the standards,
implementation specifications, or other requirements of this subpart,
taking into account those factors specified in § 164.306(b)(2)(i),
(ii), (iii), and (iv). This standard is not to be construed to permit
or excuse an action that violates any other standard, implementation
specification, or other requirements of this subpart. A covered
entity may change its policies and procedures at any time, provided
that the changes are documented and are implemented in accordance
with this subpart.
(b)(1) Standard: Documentation.
(i) Maintain the policies and procedures implemented to comply
with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this
subpart to be documented, maintain a written (which may be electronic)
record of the action, activity, or assessment.
(2) Implementation specifications:
(i) Time limit (Required). Retain the documentation required
by paragraph (b)(1) of this section for 6 years from the date
of its creation or the date when it last was in effect, whichever
is later.
(ii) Availability (Required). Make documentation available to
those persons responsible for implementing the procedures to which
the documentation pertains.
(iii) Updates (Required). Review documentation periodically,
and update as needed, in response to environmental or operational
changes affecting the security of the electronic protected health
information.
§ 164.318 Compliance dates for the initial implementation
of the security standards.
(a) Health plan.
(1) A health plan that is not a small health plan must comply
with the applicable requirements of this subpart no later than
April 20, 2005.
(2) A small health plan must comply with the applicable requirements
of this subpart no later than April 20, 2006.
(b) Health care clearinghouse. A health care clearinghouse must
comply with the applicable requirements of this subpart no later
than April 20, 2005.
(c) Health care provider. A covered health care provider must comply
with the applicable requirements of this subpart no later than April
20, 2005.
Appendix A to Subpart C
of Part 164
Security Standards: Matrix
ADMINISTRATIVE SAFEGUARDS
287 PHYSICAL SAFEGUARDS
TECHNICAL SAFEGUARDS (see
§ 164.312)
§ 164.500 [Amended]
6. In 164.500(b)(1)(iv), remove
the words "including the designation of health care components
of a covered entity".
§ 165.501 [Amended]
7. In § 164.501, the definitions
of the following terms are removed: Covered functions, Disclosure,
Individual, Organized health care arrangement, Plan sponsor Protected
health information, Required by law, and Use.
§ 164.504 [Amended]
8. In §164.504, the following
changes are made:
a. The definitions of the following terms are removed: Common control,
Common ownership, Health care component, and Hybrid entity.
b. Paragraphs (b) through (d) are removed and reserved.
|
