Data Security Regulatory Compliance
Environment and Community Environment & Community
HomeAboutInvestorsCareersNewsContactsSearch
refurbished computer hardware, refurbished computer
 
refurbished monitors, refurbished computer equipment refurbished pc, refurbished computer supplies, refurbished desktop computer refurbished desktop pc, refurbished ibm thinkpad
dot
dot
Secure Data Destruction
dot
dot
Required Regulatory Compliance
dot
dot
PC Retirement ROI
dot
dot
Reseller Program
dot
dot
HIPAA
Health Insurance Portability and Accountability Act
For the reasons set forth in the preamble, the Department of Health and Human Services amends title 45, subtitle A, subchapter C, parts 160, 162, and 164 as set forth below:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
(1) The authority citation for part 160 continues to read as follows:

Authority: Sec. 1171 through 1179 of the Social Security Act, (42   U.S.C.1320d-1329d-8) as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C. 1320d-2(note)).

(2) In § 160.103, the definitions of “disclosure”, “electronic media”, “electronic protected health information,” “individual,” “organized health care arrangement”, “protected health information,” and “use” are added in alphabetical order to read as follows:

§ 160.103 Definitions.

(1) Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

(2) Electronic media means:

(a) Electronic storage media including memory devices in   computers (hard drives) and any   removable/transportable digital   memory medium, such as magnetic tape or disk, optical disk, or digital memory   card; or

  (b) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example,   the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating   parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage   media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions   via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

(3) Electronic protected health information means information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section.

(4) Individual means the person who is the subject of protected health information.

(5) Protected health information means individually identifiable health information:

(a) Except as provided in paragraph (2) of this definition, that is:

    i. Transmitted by electronic media;

    ii. Maintained in electronic media; or

    iii. Transmitted or maintained in any other form or medium.

  (b) Protected health information excludes individually identifiable health information in:

    i. Education records covered by the Family Educational Rights and Privacy Act, as amended, 20     U.S.C. 1232g;

    ii. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

    iii. Employment records held by a covered entity in its role as employer.

(6) Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
Subpart C--Security Standards for the Protection of Electronic Protected Health Information
§ 164.306 Security Standards: General Rules.
§ 164.308 Administrative Safeguards.
§ 164.310 Physical Safeguards.
§ 164.314 Organizational Requirements.
§ 164.318 Compliance Dates for the Initial Implementation of the Security Standards.

§ 164.306 Security Standards: General Rules.
(a) General requirements. Covered entities must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

§ 164.308 Administrative Safeguards.
(a) A covered entity must, in accordance with § 164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.

§ 164.310 Physical Safeguards.
A covered entity must, in accordance with § 164.306:

(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

§ 164.314 Organizational Requirements.
(a)(1) Standard: Business associate contracts or other arrangements.

(i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b) must meet the requirements of paragraph (a)(2)(i) or (a)(2)(ii) of this section, as applicable.

(ii) A covered entity is not in compliance with the standards in § 164.502(e) and paragraph (a) of this section if the covered entity knew of a pattern of an activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful.

(A) Terminated the contract or arrangement, if feasible; or

(B) If termination is not feasible, reported the problem to the Secretary.

(2) Implementation specifications (Required).

(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will—

(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;

(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;

C) Report to the covered entity any security incident of which it becomes aware;

§ 164.310 Physical Safeguards.
A covered entity must, in accordance with § 164.306:

(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

§ 164.314 Organizational Requirements.
(a)(1) Standard: Business associate contracts or other arrangements.

(i) The contract or other arrangement between the covered entity and its business associate required by § 164.308(b) must meet the requirements of paragraph (a)(2)(i) or (a)(2)(ii) of this section, as applicable.

(ii) A covered entity is not in compliance with the standards in § 164.502(e) and paragraph (a) of this section if the covered entity knew of a pattern of an activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful.

(A) Terminated the contract or arrangement, if feasible; or

(B) If termination is not feasible, reported the problem to the Secretary.

(2) Implementation specifications (Required).

(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will—

(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;

(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;

(C) Report to the covered entity any security incident of which it becomes aware;

(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

(ii) Other arrangements.

(A) When a covered entity and its business associate are both governmental entities, the covered entity is in compliance with paragraph (a)(1) of this section, if—

(1) It enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (a)(2)(i) of this section; or

(2) Other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (a)(2)(i) of this section.

(B) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate as specified in § 160.103 of this subchapter to a covered entity, the covered entity may permit the business associate to create, receive, maintain, or transmit electronic protected health information on its behalf to the extent necessary to comply with the legal mandate without meeting the requirements of paragraph (a)(2)(i) of this section, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (a)(2)(ii)(A) of this section, and documents the attempt and the reasons that these assurances cannot be obtained.

(C) The covered entity may omit from its other arrangements authorization of the termination of the contract by the covered entity, as required by paragraph (a)(2)(i)(D) of this section if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

(b)(1) Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.

(2) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to—

(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;

(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;

(iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and

(iv) Report to the group health plan any security incident of which it becomes aware.

§ 164.318 Compliance Dates for the Initial Implementation of the Security Standards.
(a) Health plan.

(1) A health plan that is not a small health plan must comply with the applicable requirements of this subpart no later than April 20, 2005.

(2) A small health plan must comply with the applicable requirements of this subpart no later than April 20, 2006.

(b) Health care clearinghouse. A health care clearinghouse must comply with the applicable requirements of this subpart no later than April 20, 2005.


(c) Health care provider. A covered health care provider must comply with the applicable requirements of this subpart no later than April 20, 2005.

Source: Federal Register
February 20, 2003

arrow Key Elements of the Statute arrow For Whom Compliance is Required
arrow Penalties for Non-Compliance arrow Methods for Achieving Compliance
Movie
Expert Analysis
 
Regulations
Detailed Reporting
Gramm-Leach-Bliley
FACT Act
Sarbanes-Oxley
HIPAA
Orange Arrow Key Elements of the Statute
Orange Arrow For Whom Compliance is Required
Orange Arrow Penalties for Non-Compliance
Orange Arrow Methods for Achieving Compliance
EPA Regulations
eraseyourharddrive.com
Copyright © 2007 QSGI, All Rights Reserved