View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

HHS/CMS RIN: 0938-AI57 Publication ID: Fall 2001 
Title: Security Standards (CMS-0049-F) 
Abstract: This rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. It establishes standards for the security of health information used by health plans, health care clearinghouses, and certain health care providers. These entities would use the security standards to develop and maintain the security of all electronic health information. 
Agency: Department of Health and Human Services(HHS)  Priority: Economically Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Yes  Unfunded Mandates: No 
EO 13771 Designation: uncollected 
CFR Citation: 45 CFR 162   
Legal Authority: PL 104-191    42 USC 1320d-2(d)   
Legal Deadline:
Action Source Description Date
Final  Statutory    02/21/1998 

Statement of Need: The Health Insurance Portability and Accountability Act of 1996 requires the Secretary of Health and Human Services to adopt security standards that require reasonable and appropriate administrative, technical and physical safeguards to: 1) ensure the integrity and confidentiality of health information; 2) protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and 3) protect against unauthorized uses or disclosures of the information. This rule stipulates the requirements necessary to comply with the law.

Summary of the Legal Basis: The Administrative Simplification provisions of HIPAA require the Secretary to establish standards for the security of health information use by health plans, health care clearing houses, and certain health care providers.

Alternatives: In the absence of Federal regulations, the security of health care information in electronic form would be left to the private sector to develop. It is believed that this course of action would result in an extremely uneven level of protection (ranging from none to excessive) for electronic health information pertaining to individuals and make it difficult, if not impossible, to provide for privacy of this information.

Anticipated Costs and Benefits: As the effect of any one of the HIPAA standards is affected by the implementation of other standards, it is misleading to discuss the impact of one standard by itself. Therefore, an Impact Analysis on the total effect of all the standards was published in the proposed rule concerning the national provider identifier (HCFA-0045-P) which was published on May 7, 1998 (63 FR 25320). Security protection for health care information is not a "stand alone" type requirement. Appropriate security protections will be a business enabler, encouraging the growth and use of electronic data interchange. The synergistic effect of the employment of the recommended security practices, procedures and technologies will enhance all aspects of HIPAA's Administrative Simplification requirements.

Risks: The storage, handling and transmission of health information has long been a paper process. However, the transition from paper to electronic media has begun and is increasing at a rapid pace. This transition has brought on a significantly increased risk to the security and confidentiality of health information, particularly for information pertaining to individuals. This rule formally establishes a baseline set of requirements for security that must be adopted by health care providers, health plans and health care clearinghouses. Compliance with these requirements will greatly decrease risk to the security, integrity and confidentiality of health information.

Action Date FR Cite
NPRM  08/12/1998  63 FR 43242   
NPRM Comment Period End  10/13/1998    
Final Action  To Be Determined    
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal, Local, State, Tribal 
Small Entities Affected: Businesses  Federalism: Undetermined 
Included in the Regulatory Plan: Yes 
Agency Contact:
Barbara Clark
Office of Information Services
Department of Health and Human Services
Centers for Medicare & Medicaid Services
N2-14-10, 7500 Security Boulevard,
Baltimore, MD 21244-1850
Phone:410 786-3017