Professional Documents
Culture Documents
HIPAA/HITECH SECURITY AND BREACH NOTIFICATION RULES: CROSSWALK TO THE SHARED ASSESSMENTS STANDARDIZED INFORMATION 5.0)
Summary This document provides a linkage between certain federal regulatory requirements pursuant to the H (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), a Information Gathering (SIG) questionnaire v5.0. This linkage is presented in the form of a "crosswalk controls questions and specific requirements for information security and breach notification for enti
Scope The scope of this document is limited to three key federal regulations: 1. Health Breach Notification Rule; Final Rule (18 CFR Part 318) The FTC Breach Notification Rule 2. Health Insurance Reform: Security Standards; Final Rule (45 CFR Parts 160, 162, and 164) The " 3. Breach Notification for Unsecured Protected Health Information; Interim Final Rule (45 CFR Parts 1
The Security and HHS Breach Notification Rules are enforced by the US Department of Health and Hu Trade Commission (FTC) enforces the FTC Breach Notification Rule.
Disclaimer The contents of this document are for general guidance only. Nothing in this document should be co you have questions regarding HIPAA/HITECH compliance and/or your organization's legal obligations
Structure of This Document This document is divided into three tabs (including this one). The "TOC" tab provides a simple table o Breach Notification Rules. The "Crosswalk" tab contains the crosswalk between the Rules and SIG v5
Sorting, Outline Structure, and the Security and Breach Notification Rules The crosswalk is organized according to the outline structure of the Rules. Each of the rows represen standard statements are further defined by one or more implementation specifications. In some standard statement can stand on its own without the support of implementation specifications. T intentionally left blank.
The structure of the Security Rule differs from the Breach Notification Rules in that it implements the specifications. A column has been added to highlight these classifications where applicable.
The rows are sorted by default by Title Number, Section Number, and then Subsection Number. Orde Title 18 is specific to the Federal Trade Commission and Title 45 is specific to the Department of Hea
Crosswalk Columns The crosswalk reference to the SIG 5.0 appears at the end of each row. Both Level 1 and Level 2 map linkage between HIPAA/HITECH and the SIG.
Crosswalk Columns The crosswalk reference to the SIG 5.0 appears at the end of each row. Both Level 1 and Level 2 map linkage between HIPAA/HITECH and the SIG.
ESTIONNAIRE (VERSION
ntation specification. Most regulators believe that a alk: some cells are
ddressable implementation
om.
om.
318.6 318.7 318.8 318.9 45 HHS Security 164.302 Rule 164.304 164.306 164.308 164.310 164.312 164.314 164.316 45 HHS Breach 164.400 Notification 164.402 Rule 164.404 164.406 164.408 164.410 164.412 164.414
Administrative Requirements Definitions Breach Notification Requirement Timeliness of Notification Methods of Notice Content of Notice Enforcement Effective Date Sunset Applicability Definitions Security Standards: General Rules Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures and Documentation Requirements Applicability Definitions Notification to Individuals Notification to the Media Notification to the Secretary Notification by a Business Associate Law Enforcement Delay Administrative Requirements and Burden of Proof
uirements
Section Title
Administrative Requirements
Administrative Requirements
18
318.1
Administrative Requirements
18
318.1
Section Title
Definitions
Section Title
Title Section Subsection Subsection Title No. No. No. 18 318.3 (a) In General
18
318.3
(b)
18
318.3
(c)
Timeliness of Notification
18
318.4
(a)
In General
Timeliness of Notification
18
318.4
(b)
Burden of Proof
Timeliness of Notification
18
318.4
(c)
Section Title
Title Section Subsection Subsection Title No. No. No. 18 318.5 (a) Individual Notice
Methods of Notice
Methods of Notice
18
318.5
(b)
Notice to Media
Methods of Notice
18
318.5
(c)
Notice to FTC
Section Title
Content of Notice
Enforcement
18
318.7
18 18 45
Section Title
Definitions
45
45
General Requirements
General Requirements
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.306 000000 00001 164.306 000000 00001 164.306 000000 00001 164.306 000000 00001 (a)(3) General Requirements
45
(a)(4)
General Requirements
45
(b)(1)
Flexibility of Approach
45
(b)(2)
Flexibility of Approach
45
45
Standards
Implementation Specifications
45
45
Implementation Specifications
Implementation Specifications
45
Maintenance
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
164.308 (a)(2)
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.308 (a)(3)(ii)(A) Workforce Security
Administrative Safeguards
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards Administrative Safeguards
45 45 45 45 45
164.308 (a)(5)(ii)(A) Security Awareness and Training 164.308 (a)(5)(ii)(B) Security Awareness and Training 164.308 (a)(5)(ii)(C) Security Awareness and Training 164.308 (a)(5)(ii)(D) Security Awareness and Training 164.308 (a)(6)(ii) Security Incident Procedures
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Administrative Safeguards
45
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.308 (a)(8) Evaluation
Administrative Safeguards
Administrative Safeguards
45
164.308 (b)(1)
Administrative Safeguards
45
164.308 (b)(2)
Administrative Safeguards
45
164.308 (b)(3)
Administrative Safeguards
45
164.308 (b)(4)
Physical Safeguards
45
164.310 (a)(2)(i)
Physical Safeguards
45
164.310 (a)(2)(ii)
Physical Safeguards
45
164.310 (a)(2)(iii)
Physical Safeguards
45
164.310 (a)(2)(iv)
Physical Safeguards
45
164.310 (b)
Workstation Use
45 45
Physical Safeguards
45
164.310 (d)(2)(ii)
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.310 (d)(2)(iii) Device and Media Controls
Physical Safeguards
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.310 (d)(2)(iv) Device and Media Controls
Physical Safeguards
Technical Safeguards
45
164.312 (a)(2)(i)
Access Control
Technical Safeguards
45
164.312 (a)(2)(ii)
Access Control
Technical Safeguards
45
164.312 (a)(2)(iii)
Access Control
Technical Safeguards
45
164.312 (a)(2)(iv)
Access Control
Technical Safeguards
45
164.312 (b)
Audit Controls
Technical Safeguards
45
164.312 (c)(2)
Integrity
45 45
Technical Safeguards
45
164.312 (e)(2)(ii)
Transmission Security
Organizational Requirements
45
164.314 (a)(1)(i)
Business Associate Contracts or Other Arrangements Business Associate Contracts or Other Arrangements
Organizational Requirements
45
164.314 (a)(1)(ii)
Organizational Requirements
45
164.314 (a)(2)(i)
Implementation Specifications
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.314 (a)(2)(ii) Implementation Specifications
Organizational Requirements
Organizational Requirements
45
164.314 (b)(1)
Organizational Requirements
45
164.314 (b)(2)
Implementation Specifications
45
164.316 (a)
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.316 (b)(1)(i) Documentation
45
164.316 (b)(1)(ii)
Documentation
45
164.316 (b)(1)(iii)
Documentation
45
164.400
Definitions
45
164.402
Notification to Individuals
45
164.404 (a)(1)
Standard
Section Title
Title Section Subsection Subsection Title No. No. No. 45 164.404 (a)(2) Standard
Notification to Individuals
Notification to Individuals
45
164.404 (b)
Implementation Specifications
Notification to Individuals
45
164.404 (c)(1)
Implementation Specifications
Notification to Individuals Notification to Individuals Notification to Individuals Notification to Individuals Notification to the Media
45 45 45 45 45
164.404 (c)(2) 164.404 (d)(1) 164.404 (d)(2) 164.404 (d)(3) 164.406 (a)
45
164.406 (b)
Implementation Specifications
45 45
45
164.408 (b)
Implementation Specifications
45
164.408 (c)
Implementation Specifications
Section Title
Title Section Subsection Subsection Title No. No. No. 45 45 164.410 (a)(1) 164.410 (a)(2) Standard Standard
45
164.410 (b)
Implementation Specifications
45
164.410 (c)(1)
Implementation Specifications
45
164.410 (c)(2)
Implementation Specifications
45
164.412
45
164.414 (a)
Administrative Requirements
45
164.414 (b)
Burden of Proof
Subsection Text
Is it Required or Addressable?
(a) Administrative requirements. A covered entity is required to comply with the administrative requirements of 164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. (b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at 164.402. (a) Administrative requirements. A covered entity is required to comply with the administrative requirements of 164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. (b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at 164.402. (a) Administrative requirements. A covered entity is required to comply with the administrative requirements of 164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. (b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at 164.402.
Subsection Text
Is it Required or Addressable?
(a) Breach of security means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. (b) Business associate means a business associate under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103. (c) HIPAA-covered entity means a covered entity under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103. (d) Personal health record means an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. (e) PHR identifiable health information means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (1) That is provided by or on behalf of the individual; and (2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. (f) PHR related entity means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that: (1) Offers products or services through the Web site of a vendor of personal health records; (2) Offers products or services through the Web sites of HIPAA-covered entities that offer individuals personal health records; or (3) Accesses information in a personal health record or sends information to a personal health record. (g) State means any of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa and the Northern Mariana Islands. (h) Third party service provider means an entity that: (1) Provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and (2) Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services. (i) Unsecured means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009. (j) Vendor of personal health records means an entity, other than a HIPAAcovered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record. (b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at 164.402.
Subsection Text
Is it Required or Addressable?
In accordance with 318.4, 318.5, and 318.6, each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall: (1) Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and (2) Notify the Federal Trade Commission. A third party service provider shall, following the discovery of a breach of security, provide notice of the breach to an official designated in a written contract by the vendor of personal health records or the PHR related entity to receive such notices or, if such a designation is not made, to a senior official at the vendor of personal health records or PHR related entity to which it provides services, and obtain acknowledgment from such official that such notice was received. Such notification shall include the identification of each customer of the vendor of personal health records or PHR related entity whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, acquired during such breach. For purposes of ensuring implementation of this requirement, vendors of personal health records and PHR related entities shall notify third party service providers of their status as vendors of personal health records or PHR related entities subject to this Part. A breach of security shall be treated as discovered as of the first day on which such breach is known or reasonably should have been known to the vendor of personal health records, PHR related entity, or third party service provider, respectively. Such vendor, entity, or third party service provider shall be deemed to have knowledge of a breach if such breach is known, or reasonably should have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of such vendor of personal health records, PHR related entity, or third party service provider. Except as provided in paragraph (c) of this section and 318.5(c), all notifications required under 318.3(a)(1), 318.3(b), and 318.5(b) shall be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. The vendor of personal health records, PHR related entity, and third party service provider involved shall have the burden of demonstrating that all notifications were made as required under this Part, including evidence demonstrating the necessity of any delay. If a law enforcement official determines that a notification, notice, or posting required under this Part would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed. This paragraph shall be implemented in the same manner as provided under 45 CFR 164.528(a)(2), in the case of a disclosure covered under such section.
Subsection Text
Is it Required or Addressable?
A vendor of personal health records or PHR related entity that discovers a breach of security shall provide notice of such breach to an individual promptly, as described in 318.4, and in the following form: (1) Written notice, by first-class mail to the individual at the last known address of the individual, or by email, if the individual is given a clear, conspicuous, and reasonable opportunity to receive notification by first-class mail, and the individual does not exercise that choice. If the individual is deceased, the vendor of personal health records or PHR related entity that discovered the breach must provide such notice to the next of kin of the individual if the individual had provided contact information for his or her next of kin, along with authorization to contact them. The notice may be provided in one or more mailings as information is available. (2) If, after making reasonable efforts to contact all individuals to whom notice is required under 318.3(a), through the means provided in paragraph (a)(1) of this section, the vendor of personal health records or PHR related entity finds that contact information for ten or more individuals is insufficient or outof-date, the vendor of personal health records or PHR related entity shall provide substitute notice, which shall be reasonably calculated to reach the individuals affected by the breach, in the following form: (i) Through a conspicuous posting for a period of 90 days on the home page of its Web site; or (ii) In major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting shall include a toll-free phone number, which shall remain active for at least 90 days, where an individual can learn whether or not the individual's unsecured PHR identifiable health information may be included in the breach. (3) In any case deemed by the vendor of personal health records or PHR related entity to require urgency because of possible imminent misuse of unsecured PHR identifiable health information, that entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (a)(1) of this section. A vendor of personal health records or PHR related entity shall provide notice to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of security, if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach. Vendors of personal health records and PHR related entities shall provide notice to the Federal Trade Commission following the discovery of a breach of security. If the breach involves the unsecured PHR identifiable health information of 500 or more individuals, then such notice shall be provided as soon as possible and in no case later than ten business days following the date of discovery of the breach. If the breach involves the unsecured PHR identifiable health information of fewer than 500 individuals, the vendor of personal health records or PHR related entity may maintain a log of any such breach, and submit such a log annually to the Federal Trade Commission no later than 60 calendar days following the end of the calendar year, documenting breaches from the preceding calendar year. All notices pursuant to this paragraph shall be provided according to instructions at the Federal Trade Commission's Web site.
Subsection Text
Is it Required or Addressable?
Regardless of the method by which notice is provided to individuals under 318.5 of this part, notice of a breach of security shall be in plain language and include, to the extent possible, the following: (a) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (b) A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code); (c) Steps individuals should take to protect themselves from potential harm resulting from the breach; (d) A brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate harm, and to protect against any further breaches; and (e) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address. A violation of this part shall be treated as an unfair or deceptive act or practice in violation of a regulation under 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. This part shall apply to breaches of security that are discovered on or after September 24, 2009. If new legislation is enacted establishing requirements for notification in the case of a breach must comply with the to entities covered by implementation A covered entity of security that apply applicable standards, this part, the provisions of this part shall not apply to subpart withsecurity discovered on or specifications, and requirements of this breaches of respect to electronic after the effective date of regulations implementing such legislation. protected health information.
Subsection Text
Is it Required or Addressable?
As used in this subpart, the following terms have the following meanings: Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to access as used in this subpart, not as used in subparts D or E of this part.) Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information. Authentication means the corroboration that a person is the one claimed. Availability means the property that data or information is accessible and useable upon demand by an authorized person. Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes. Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Facility means the physical premises and the interior and exterior of a building(s). Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner. Malicious software means software, for example, a virus, designed to damage or disrupt a system. Password means confidential authentication information composed of a string of characters. Physical safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Security or security measures encompass all of the administrative, physical, and technical safeguards in an information system. Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. User means a person or entity with authorized access.F9 Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Subsection Text
Is it Required or Addressable?
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. Ensure compliance with this subpart by its workforce.
Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. A covered entity must comply with the standards as provided in this section and in 164.308, 164.310, 164.312, 164.314, and 164.316 with respect to all electronic protected health information. Implementation specifications are required or addressable. If an implementation specification is required, the word Required appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word Addressable appears in parentheses after the title of the implementation specification. When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications. When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316 includes addressable implementation specifications, a covered entity must (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and (ii) As applicable to the entity (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and, (2) Implement an equivalent alternative measure if reasonable and appropriate. Security measures implemented to comply with standards and implementation specifications adopted under 164.105 and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at 164.316. Implement policies and procedures to prevent, detect, contain, and correct Risk Analysis security violations.
Required
Implement policies and procedures to prevent, detect, contain, and correct security violations. Implement policies and procedures to prevent, detect, contain, and correct security violations. Implement policies and procedures to prevent, detect, contain, and correct security violations. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
Risk Management
Required
Sanction Policy
Required
Required
Subsection Text
Implement policies and procedures to ensure that all members of its Authorization and/or workforce have appropriate access to electronic protected health information, Supervision as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. Implement policies and procedures to ensure that all members of its Workforce Clearance workforce have appropriate access to electronic protected health information, Procedure as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. Implement policies and procedures to ensure that all members of its Termination Procedures workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Isolated Health Clearinghouse Functions
Addressable
Addressable
Required
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Implement a security awareness and training program for all members workforce (including management). Implement a security awareness and training program for all members workforce (including management). Implement a security awareness and training program for all members workforce (including management). Implement a security awareness and training program for all members workforce (including management). Implement policies and procedures to address security incidents. of its of its of its of its
Access Authorization
Addressable
Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Response and Reporting
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Required
Required
Required
Addressable
Addressable
Subsection Text
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information. A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entitys behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information.
A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entitys behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information. A covered entity, in accordance with 164.306, may permit a business Written contract or other associate to create, receive, maintain, or transmit electronic protected health arrangement information on the covered entitys behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information. Implement policies and procedures to limit physical access to its electronic Contingency Operations information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Facility Security Plan
Required
Addressable
Addressable
Addressable
Maintenance Records
Addressable
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Implement policies and procedures that govern the receipt and removal of Disposal hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Implement policies and procedures that govern the receipt and removal of Media Reuse hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Required
Required Required
Required
Subsection Text
Implement policies and procedures that govern the receipt and removal of Accountability hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Subsection Text
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Required
Required
Automatic Logoff
Addressable
Required
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Implement technical security measures to guard against unauthorized access Integrity Controls to electronic protected health information that is being transmitted over an electronic communications network. Implement technical security measures to guard against unauthorized access Encryption to electronic protected health information that is being transmitted over an electronic communications network. The contract or other arrangement between the covered entity and its business associate required by 164.308(b) must meet the requirements of paragraph (a)(2)(i) or (a)(2)(ii) of this section, as applicable. A covered entity is not in compliance with the standards in 164.502(e) and paragraph (a) of this section if the covered entity knew of a pattern of an activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the Secretary. Business Associate Contracts
Addressable
Required
Subsection Text
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. Required
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
Subsection Text
(i) Maintain the policies and procedures implemented to comply with this Time limit subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. (i) Maintain the policies and procedures implemented to comply with this Availability subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Required
(i) Maintain the policies and procedures implemented to comply with this Updates subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. The requirements of this subpart shall apply with respect to breaches of protected health information occurring on or after September 23, 2009. As used in this subpart, the following terms have the following meanings: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information. (1)(i) For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual. (ii) A use or disclosure of protected health information that does not include the identifiers listed at 164.514(e)(2), date of birth, and Zip code does not compromise the security or privacy of the protected health information. (2) Breach excludes: (i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part. (ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part. (iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111 5 on the HHS Web site. General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.
Required
Subsection Text
Is it Required or Addressable?
Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, 164.406(a), and 164.408(a), a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency). Except as provided in 164.412, a covered entity shall provide the notification Timeliness of notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. (1) Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: (A) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (C) Any steps individuals should take to protect themselves from potential harm resulting from the breach; (D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. Plain language requirement. The notification required by paragraph (a) of this Content of notification section shall be written in plain language. The notification required by paragraph (a) of this section shall be provided in Methods of individual the following form: notification The notification required by paragraph (a) of this section shall be provided in Methods of individual the following form: notification The notification required by paragraph (a) of this section shall be provided in Methods of individual the following form: notification For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in 164.404(a)(2), notify prominent media outlets serving the State or jurisdiction. For purposes of this section, State includes American Samoa and the Northern Mariana Islands. Except as provided in 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The notification required by paragraph (a) of this section shall meet the requirements of 164.404(c). A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in 164.404(a)(2), notify the Secretary. For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in 164.412, provide the notification required by paragraph (a) of this section contemporaneously with the notice required by 164.404(a) and in the manner specified on the HHS Web site. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph (a) of this section for breaches occurring during the preceding calendar year, in the manner specified on the HHS Web site. Content of notification Content of notification
Subsection Text
Is it Required or Addressable?
A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. For purposes of paragraph (1) of this section, a breach shall be treated as Breaches treated as discovered by a business associate as of the first day on which such breach is discovered known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the federal common law of agency). Except as provided in 164.412, a business associate shall provide the Timeliness of notification notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The notification required by paragraph (a) of this section shall include, to the Content of notification extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. A business associate shall provide the covered entity with any other available Content of notification information that the covered entity is required to include in notification to the individual under 164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available. If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall: (a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or (b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time. A covered entity is required to comply with the administrative requirements of 164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at 164.402.
L 1.55-1.56
L 2.314-2.316
L 1.1, L 1.2
L 2.1
L 1.1
L 2.1
L 1.1
L 2.1
L 1.12-1.15
L 2.13-2.15
L 1.1
L 2.1
L 1.1
L 2.1
L 1.2
L 2.1-2.5
L 1.2
L 2.1-2.5, L 2.6
L 1.2
L 2.6
L 1.1, L 1.2
L 2.1-2.5, L 2.6
L 1.1
L 2.8-2.10
Conduct an accurate and thorough assessment of the potential L risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Implement security measures sufficient to reduce risks and L vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). Apply appropriate sanctions against workforce members who fail L to comply with the security policies and procedures of the covered entity. Implement procedures to regularly review records of information L system activity, such as audit logs, access reports, and security incident tracking reports. L
1.1
L 2.1
1.1
L 2.1-2.5
1.16
L 2.56
1.64
1.6
L 2.16-2.18, L 2.23
Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
L 1.12
L 2.44-2.45
Implement procedures to determine that the access of a L 1.12 workforce member to electronic protected health information is appropriate.
L 2.44-2.45
Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends [end of sentence omitted].
L 1.41-1.44
L 2.57-2.60
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Implement policies and procedures that, based upon the entitys access authorization policies, establish, document, review, and modify a users right of access to a workstation, transaction, program, or process. Periodic security updates.
L 1.1, L 1.41-1.44
L 2.1, L 2.192-2.206
L 1.41-1.44
L 2.192-2.195, 2.197-2.227
L 1.41-1.44
L 1.15
Procedures for guarding against, detecting, and reporting L 1.15, L 1.26 malicious software. Procedures for monitoring log-in attempts and reporting discrepancies. Procedures for creating, changing, and safeguarding passwords. L 1.42 Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. L 1.51-1.52
L 1.27
L 2.108-2.111
Establish (and implement as needed) procedures to restore any L 1.53 loss of data.
L 2.282-2.285
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Implement procedures for periodic testing and revision of contingency plans.
L 1.54
L 2.288-2-2.299
L 1.53
Assess the relative criticality of specific applications and data in L 1.1, L 1.9-1.10, L 1.53 L 2.1, L 2.36, L 2.283-2.284 support of other contingency plan components.
L 1.1
L 2.1-2.5
L 1.56
L 2.316
This standard does not apply with respect to (i) The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual. (ii) The transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of 164.314(b) and 164.504(f) apply and are met; or (iii) The transmission of electronic protected health information from or to other agencies providing the services at 164.502(e) (1)(ii)(C), when the covered entity is a health plan that is a government program providing public benefits, if the requirements of 164.502(e)(1)(ii)(C) are met.
L 1.56
L 2.316
L 1.56
L 2.316
Document the satisfactory assurances required by paragraph (b) L 1.56 (1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164.314(a). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Implement procedures to control and validate a persons access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). L 1.18
L 2.316
L 2.61
L 1.18, L 1.53
L 2.61-2.80
L 1.18
L 2.275
L 1.18
L 2.261-2.262
L 1.18
L 2.261-2.262
L 1.18
L 2.261-2.262, L 2.275
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electro L 1.18 L 2.39
Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
L 1.31
L 2.40
Maintain a record of the movements of hardware and electronic L 1.18 media and any person responsible therefore.
L 2.34, L 2.37
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
L 1.53
L 2.90, L 2.109
Assign a unique name and/or number for identifying and tracking user identity.
L 1.41
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
L 1.53
L 2.193
[No Linkage]
L 2.232-2.233
Implement a mechanism to encrypt and decrypt electronic protected health information.CLICKABLE NOTE: The HITECH Act (and resulting re L 1.50, L 1.60, L 1.85 L 2.261-2.274
L 1.64-1.65
Implement electronic mechanisms to corroborate that electronic L 1.87 protected health information has not been altered or destroyed in an unauthorized manner. L 1.77
L 2.193, L 2.204
Implement security measures to ensure that electronically L 1.87 L 2.35-2.37 transmitted electronic protected health information is not improperly modified without detection until disposed of. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.CLICKABLE NOTE: The HITECH A L 1.50, L 1.60, L 1.85 L 2.261-2.274
L 1.55-1.56
L 2.314-2.316
L 1.55-1.56
L 2.314-2.316
The contract between a covered entity and a business associate L 1.55-1.56 must provide that the business associate will (A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart; (B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; (C) Report to the covered entity any security incident of which it becomes aware; (D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
L 2.314-2.316
(A) When a covered entity and its business associate are both governmental entities, the covered entity is in compliance with paragraph (a)(1) of this section, if ( 1 ) It enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (a)(2)(i) of this section; or ( 2 ) Other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (a)(2)(i) of this section. (B) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate as specified in 160.103 of this subchapter to a covered entity, the covered entity may permit the business associate to create, receive, maintain, or transmit electronic protected health information on its behalf to the extent necessary to comply with the legal mandate without meeting the requirements of paragraph (a)(2)(i) of this section, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (a)(2)(ii)(A) of this section, and documents the attempt and the reasons that these assurances cannot be obtained. (C) The covered entity may omit from its other arrangements authorization of the termination of the contract by the covered entity, as required by paragraph (a)(2)(i)(D) of this section if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.
L 1.55-1.56
L 2.314-2.316
L 1.55-1.56
L 2.314-2.316
The plan documents of the group health plan must be amended L 1.55-1.56 to incorporate provisions to require the plan sponsor to (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; (ii) Ensure that the adequate separation required by 164.504(f) (2)(iii) is supported by reasonable and appropriate security measures; (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and (iv) Report to the group health plan any security incident of which it becomes aware.
L 2.314-2.316
L 1.55-1.56
L 2.314-2.316
Retain the documentation required by paragraph (b)(1) of this L 1.59 section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
L 1.55, L 1.56
L 2.314, L 2.316
Review documentation periodically, and update as needed, in L.1.56, L 1.61, L 1.63, L response to environmental or operational changes affecting the 1.64 security of the electronic protected health information. L 1.55-1.56, L 1.61, L 1.86 L 1.55-1.56, L 1.61, L 1.86
L 2.329-2.330
L 1.55-1.56, 1.86 L 1.55-1.56, 1.86 L 1.55-1.56, 1.86 L 1.55-1.56, 1.86 L 1.55-1.56, 1.86
L 2.314, L 2.316, L 2.388 L 2.314, L 2.316, L 2.388 L 2.314, L 2.316, L 2.388 L 2.314, L 2.316, L 2.388 L 2.314, L 2.316, L 2.388