NOTE: This section of the Security Standard has been updated in the final Security Rule as of April 21, 2003, and is no longer current - it is provided for reference only.
H. Rules for Security Standards and Electronic Signature Standard
1. Health plans.
a. In § 142.306(a), we would require health plans to accept and apply the security standard to all health care information pertaining to an individual that is electronically maintained or electronically transmitted. Federal agencies and States may place additional requirements on their health plans. In addition, trading partners may mutually agree to implement additional security measures.
b. In § 142.310(a), entities would not be required to use an electronic signature. However, if a plan elects to use an electronic signature in one of the transactions named in the law, it would be required to apply the electronic signature standard described in § 142.310(b) to that transaction. In the future, we anticipate that the standards for other transactions may include requirements for signatures. In particular, the proposed standard for claims attachments, which will be issued in a separate regulations package later, may include signature requirements on some or all of the attachments. If the proposed attachments standard includes such signature requirements, we will address the issue of how to reconcile such requirements with existing State and Federal requirements for written signatures as part of the proposed rule.
2. Health care clearinghouses.
a. We would require in § 142.306(b) that each health care clearinghouse comply with the security standard to ensure all health care information and activities are protected from unauthorized access. If the clearinghouse is part of a larger organization, then security must be imposed to prevent unauthorized access by the larger organization. The security standards apply to all health information pertaining to an individual that is electronically maintained or electronically transmitted.
b. In § 142.310(a), entities would not be required to use an electronic signature. However, if a plan elects to use an electronic signature in one of the transactions named in the law, it would be required to apply the electronic signature standard described in § 142.310(b) to that transaction. In the future, we anticipate that the standards for other transactions may include requirements for signatures. In particular, the proposed standard for claims attachments, which will be issued in a separate regulations package later, may include signature requirements on some or all of the attachments. If the proposed attachments standard includes such signature requirements, we will address the issue of how to reconcile such requirements with existing State and Federal requirements for written signatures as part of the proposed rule.
3. Health care providers.
a. In § 142.306(a), we would require each health care provider to apply the security standard to all health information pertaining to an individual that is electronically maintained or electronically transmitted.
b. In § 142.310(a), entities would not be required to use an electronic signature. However, if a plan elects to use an electronic signature in one of the transactions named in the law, it would be required to apply the electronic signature standard described in § 142.310(b) to that transaction. In the future, we anticipate that the standards for other transactions may include requirements for signatures. In particular, the proposed standard for claims attachments, which will be issued in a separate regulations package later, may include signature requirements on some or all of the attachments. If the proposed attachments standard includes such signature requirements, we will address the issue of how to reconcile such requirements with existing State and Federal requirements for written signatures as part of the proposed rule.
I. Effective Dates
Health plans would be required to comply with the security and electronic signature standards as follows:
- Each health plan that is not a small health plan would have to comply with the requirements of §§ 142.306, 142.308, and 142.310 no later than 24 months after publication of the final rule.
- Each small health plan would have to comply with the requirements of §§ 142.306, 142.308, and 142.310 no later than 36 months after the date of publication of the final rule.
- If the effective date for the electronic transaction standards is later than the effective date for the security standard, implementation of the security standard would not be delayed until the standard transactions are in use. The security standard would still be effective with respect to electronically stored or maintained data. Security of health information would not be solely tied to the standard transactions but would apply to all individual health information electronically stored, maintained, or transmitted.
- Under this proposed rule, in some cases, a health plan could choose to convert from paper to standard EDI transactions prior to the effective date of the security standard. We would recommend that the security standard be implemented at that time in order to safeguard the data in those transactions. We invite comments on this issue.
- Failure to comply with standards may result in monetary penalties. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person who fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement.
We are not proposing any enforcement procedures at this time, but we plan to do so in a future Federal Register document once the industry has some experience with using the standards. These procedures will be in place by the time the standards are implemented by industry. We envision the monitoring and enforcement process as a partnership between the Federal government and the private sector. Some private accreditation bodies have already exhibited interest in certifying compliance with the security requirements as part of their accreditation reviews. Small providers may be able to self-certify through industry-developed checklists. HHS would likely retain the final responsibility for determining violations and imposing the penalties specified by the statute. We welcome comments on this approach.