View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
HHS/CMS | RIN: 0938-AI57 | Publication ID: Fall 1999 |
Title: Security and Electronic Signature Standards (HCFA-0049-F) | |
Abstract: This rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. It establishes standards for the security of health information and electronic signature use by health plans, health care clearing houses, and health care providers. These entities would use the security standard to develop and maintain the security of all electronic health information pertaining to an individual. The electronic signature standard is applicable only with respect to use with the specific transactions defined in the Health Insurance Portability and Accountability Act of 1996. | |
Agency: Department of Health and Human Services(HHS) | Priority: Economically Significant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Final Rule Stage |
Major: Yes | Unfunded Mandates: No |
CFR Citation: 45 CFR 162 | |
Legal Authority: PL 104-191 42 USC 1320d-2 |
Legal Deadline:
|
|||||||||
Statement of Need: The Health Insurance Portability and Accountability Act of 1996 requires the Secretary of Health and Human Services to adopt security standards that require reasonable and appropriate administrative, technical and physical safeguards to (1) ensure the integrity and confidentiality of health information, (2) protect against any reasonably anticipated threats or hazards to the security or integrity of the information and protect against unauthorized uses or disclosures of the information.. Further, the Secretary, in coordination with the Secretary of Commerce, is to adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to certain transactions specified in HIPAA. This rule stipulates the requirements necessary to comply with the law. |
|||||||||
Summary of the Legal Basis: The Administrative Simplification provisions of HIPAA require the Secretary to establish standards for the security of health information and electronic signature use by health plans, health care clearing houses, and health care providers. |
|||||||||
Alternatives: In the absence of federal regulations, the security of health care information in electronic form would be left to the private sector to develop. It is believed that this course of action would result in an extremely uneven level of protection (ranging from none to excessive) for electronic health information pertaining to individuals and make it difficult, if not impossible, to provide for privacy of this information. |
|||||||||
Anticipated Costs and Benefits: As the effect of any one of the HIPAA standards is affected by the implementation of other standards, it is misleading to discuss the impact of one standard by itself. Therefore, an Impact Analysis on the total effect of all the standards was published in the proposed rule concerning the national provider identifier (HCFA-0045-P) which was published on May 7, 1998 (63 FR 25320). Security protection for health care information is not a "stand alone" type requirement. Appropriate security protections will be a business enabler, encouraging the growth and use of electronic data interchange. The synergistic effect of the employment of the recommended security practices, procedures and technologies will enhance all aspects of HIPAA's Administrative Simplification requirements. |
|||||||||
Risks: The storage, handling and transmission of health information has long been a paper process. However, the transition from paper to electronic media has begun and is increasing at a rapid pace. This transition has brought on a significantly increased risk to the security and confidentiality of health information, particularly for information pertaining to individuals. This rule formally establishes a baseline set of requirements for security that must be adopted by health care providers, health plans and health care clearinghouses. Compliance with these requirements will greatly decrease risk to the security, integrity and confidentiality of health information pertaining to individuals. |
|||||||||
Timetable:
|
Regulatory Flexibility Analysis Required: Yes | Government Levels Affected: Federal, Local, State, Tribal |
Small Entities Affected: Businesses | |
Included in the Regulatory Plan: Yes | |
Agency Contact: Barbara Clark Office of Information Services Department of Health and Human Services Centers for Medicare & Medicaid Services N2-14-10, 7500 Security Boulevard, Baltimore, MD 21244-1850 Phone:410 786-3017 |