NOTE: This section of the Security Standard has been updated in the final Security Rule as of April 21, 2003, and is no longer current - it is provided for reference only.
III. Implementation
If an entity elects to use an electronic signature in a transaction, or if an electronic signature is required by a transaction standard adopted by the Secretary, the entity must apply the electronic signature standard described in § 142.310(b).
How the security standard would be implemented is dependent upon industry trading partner agreements for electronic transmissions. The health care industry would be able to adapt the security matrix to meet its business needs. We propose that the requirements of the security standard be implemented over time. However, we would require implementation to be complete by the applicable effective date. We would encourage, but not require that entities comply with the security standard as soon as practicable, preferably before implementing the transactions standards.
The security standard would supersede contrary provisions of State law including State law requiring medical or health plan records to be maintained or transmitted in other electronic formats. There are certain exceptions when the standards would not supersede contrary provisions of State law; section 1178 identifies those conditions and directs the Secretary to determine whether a particular State provision falls within one or more of the exceptions.
The electronic signature standard (digital signature) would be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the named transactions referred to in the legislation.
Several accreditation organizations such as the Electronic Healthcare Network Accreditation Commission (EHNAC), the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), and the National Committee for Quality Assurance (NCQA), indicate that one of their accreditation requirements will be compliance with the HIPAA security and electronic signature (if applicable) standards.
IV. New and Revised Standards
To encourage innovation and promote development, we plan to establish a process to allow an organization to request a revision or replacement to any adopted standard or standards. An organization could request a revision or replacement to an adopted standard by requesting a waiver from the Secretary of Health and Human Services to test a revised or new standard. The organization would be required, at a minimum, to demonstrate that the revised or new standard offers a clear improvement over the adopted standard. If the organization presents sufficient documentation that supports testing of a revised or new standard, we want to be able to grant the organization a temporary waiver to test while remaining in compliance with the law. We do not intend to establish a process that would allow an organization to avoid using any adopted standard.
We would welcome comments on the following: (1) How we should establish this process, (2) the length of time a proposed standard should be tested before we decide whether to adopt it, (3) whether we should solicit public comments before implementing a change in a standard, and (4) other issues and recommendations we should consider. Comments should be submitted to the addresses presented in the ADDRESSES section of this document.
The following is one possible process:
- Any organization that wishes to revise or replace an adopted standard would submit its waiver request to an HHS evaluation committee (to be established or defined). The organization would do the following for each standard it wishes to revise or replace:
- Provide a detailed explanation, no more than 10 pages, of how the revision or replacement would be a clear improvement over the current standard.
- Provide specifications and technical capabilities on the revised or new standard, including any additional system requirements.
- Provide an explanation, no more than five pages, of how the organization intends to test the standard.
The committee’s evaluation would, at a minimum, be based on the following:
- A cost-benefit analysis.
- An assessment of whether the proposed revision or replacement demonstrates a clear improvement to an existing standard.
- The extent and length of time of the waiver.
The evaluation committee would inform the organization requesting the waiver within 30 working days of the committee’s decision on the waiver request. If the committee decides to grant a waiver, the notification may include the following:
- Committee comments such as the following:
- The length of time for which the waiver applies if it differs from the waiver request.
- The sites the committee believes are appropriate for testing if they differ from the waiver request.
- Any pertinent information regarding the conditions of an approved waiver.
Any organization that receives a waiver would be required to submit a report containing the results of the study, no later than 3 months after the study is completed.
The committee would evaluate the report and determine whether the benefits of the proposed revision or new standard significantly outweigh the disadvantages of implementing it and make a recommendation to the Secretary.
V. Response to Comments
Because of the large number of items of correspondence we normally receive on Federal Register documents published for comment, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the "DATES" section of this preamble, and, if we proceed with a subsequent document, we will respond to the major comments in the preamble of that document.