skip to: page content | links on this page | site navigation | footer (site information)

 

Company | Privacy Notice | Legal Notice
Privacy | Transactions and Code Sets | Security | Identifiers
HIPAA Navigator | HIPAA SLP | Manuals
Approach | Assessment | Implementation | Training | Evaluation | Maintenance
For Providers | For Health Plans | FAQ | Free Downloads
For Providers | For Health Plans | For Attorneys | For Security Professionals
subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link
subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link

Security Standards

 

(as published in the Federal Register, February 20, 2003)

Regulation Effective Date: April 21, 2003
Compliance Date: April 21, 2005 for most covered entities
(April 21, 2006 for small health plans)


HHS SUMMARY: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Full Document:

Text format

Adobe PDF

Referenced NIST publications:

SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (PDF)
SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500-172), April 1998, broken down into 3 parts:
Part 1 - document (PDF)
Part 2 - Appendix A-D (PDF)
Part 3 - Appendix E (PDF)
SP 800-33 Underlying Technical Models for Information Technology Security, December 2001 (PDF)

PREAMBLE:

Summary and Introduction

I. Background
II. General Overview of the Provisions of the Proposed Rule
III. Analysis of, and Responses to, Public Comments on the Proposed Rule

A. General Issues
B. Applicability (§ 164.302)
C. Transition to the Final Rule
D. General Rules (§ 164.306)
E. Administrative Safeguards (§ 164.308)

1. Security management process (§ 164.308(a)(1)(i))
2. Assigned Security Responsibility (§ 164.308(a)(2))
3. Workforce Security (§ 164.308(a)(3)(i))
4. Information Access Management (§ 164.308(a)(4))
5. Security Awareness and Training (§ 164.308(a)(5)(i))
6. Security Incident Procedures (§ 164.308(a)(6))
7. Contingency Plan (§ 164.308(a)(7)(i))
8. Evaluation (§ 164.308(a)(8))
8(sic). Business Associate Contracts or Other Arrangements (§ 164.308(b)(1))
9. Proposed Requirements Not Adopted in This Final Rule

F. Physical Safeguards (§ 164.310)

1. General Comments
2. Facility Access Controls (§ 164.310(a)(1))
3. Workstation Use (§ 164.310(b))
4. Workstation Security (§ 164.310(c))
5. Device and Media Controls (§ 164.310(d)(1))

G. Technical Safeguards (§ 164.312)

1. Access Control (§ 164.312(a)(1))
2. Audit Controls (§ 164.312(b))
3. Integrity (§ 164.312(c)(1))
4. Person or Entity Authentication (§ 164.312(d))
5. Transmission Security (§ 164.312(e)(1))

H. Organizational Requirements (§ 164.314)

1. Health Care Clearinghouses
2. Business Associate Contracts and Other Arrangements

I. Policies and Procedures and Documentation Requirements (§ 164.316)
J. Compliance Dates for Initial Implementation (§ 164.318)
K. Appendix
L. Miscellaneous Issues

1. Preemption
2. Enforcement
3. Comment Period

M. Proposed Impact Analysis

IV. Regulatory Impact Analysis

A. Overall Impact
B. Anticipated Effects
C. Changes from the 1998 Impact Analysis
D. Guiding Principles for Standard Selection
E. Affected Entities
F. Factors in Establishing the Security Standard
G. Alternatives Considered

V. Collection of Information Requirements
IV(sic). Provisions of the Final Regulation

REGULATION TEXT:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

1. Authority citation for part 160
2. § 160.103 Definitions

PART 162--ADMINISTRATIVE REQUIREMENTS

1. Authority citation for part 162
2. § 162.103 Definition

PART 164--SECURITY AND PRIVACY

1. Authority citation for part 164
2. § 164.103 Definitions
3. § 164.104 Applicability.
4. § 164.105 Organizational requirements.
5. Subpart C--Security Standards for the Protection of Electronic Protected Health Information

164.302 Applicability.
164.304 Definitions.
164.306 Security standards: General rules.
164.308 Administrative safeguards.
164.310 Physical safeguards.
164.312 Technical safeguards.
164.314 Organizational requirements.
164.316 Policies and procedures and documentation requirements.
164.318 Compliance dates for the initial implementation of the security standards.

Appendix A to Subpart C of Part 164:

Security Standards: Matrix

ADMINISTRATIVE SAFEGUARDS
287 PHYSICAL SAFEGUARDS
TECHNICAL SAFEGUARDS (see § 164.312)

6. § 164.500 Amended
7. § 164.501 Amended
8. §164.504 Amended

For reference, here is the proposed rule.

 

 

About Us | Site Map | Privacy Policy | Contact Us | ©2003 Company Name