View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

HHS/CMS RIN: 0938-AI57 Publication ID: Spring 2003 
Title: Security Standards (CMS-0049-F) 
Abstract: This final rule is being jointly developed by CMS and the Department of Commerce. This final rule adopts standards for the security of certain electronic, individually identifiable health information of health plans, health care clearinghouses, and certain health care providers. It implements administrative simplification initiatives that have a national scope beyond the Medicare and Medicaid programs. 
Agency: Department of Health and Human Services(HHS)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Completed Actions 
Major: Yes  Unfunded Mandates: No 
EO 13771 Designation: uncollected 
CFR Citation: 45 CFR 162   
Legal Authority: PL 104-191    42 USC 1320d-2(d)   
Legal Deadline:
Action Source Description Date
Final  Statutory    02/21/1998 

Statement of Need: The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1966 required the Department to adopt standards for security. Currently, no standard measures exist in the health care industry that address all aspects of the security of electronic health information while it is being stored or transmitted between entities. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information.

Summary of the Legal Basis: This final rule implements some of the requirements of the Administrative Simplification subtitle of HIPAA.

Alternatives: Existing security standards do not encompass all the requirements set forth in the law.

Anticipated Costs and Benefits: Although we cannot determine the specific economic impact of the standards in this final rule (and individually each standard may not have a significant impact), we are unable to estimate the cost of implementing the security standards as implementation needs will vary dependent upon each entity's risk assessment and upon what is already in place. In addition, it is important to recognize that security is not a one-time project, but rather an on-going, dynamic process. However, the overall impact analysis makes clear that, collectively, all the HIPAA standards will have a significant impact of over $100 million on the economy. We believe that the overall Administrative Simplification costs will be offset by future savings. Implementation of the security standards will provide confidentiality, integrity and availability protections to certain personaly identifiable health information. The synergistic effect of the employment of the security standards will also enhance all aspects of HIPAA's Administrative Simplification requirements.

Risks: The security of electronic protected health information is, and has been for some time, a basic business requirement that health care entities ignore at their peril. Instances of "hacking" and other security violations may be widely publicized, and can seriously damage an institution's community standing. Appropriate security protections are crucial for encouraging the growth and use of electronic data interchange.

Action Date FR Cite
NPRM  08/12/1998  63 FR 43242   
NPRM Comment Period End  10/13/1998    
Final Rule  02/20/2003  68 FR 8334   
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal, Local, State, Tribal 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: Yes 
Agency Contact:
Barbara Clark
Office of Information Services
Department of Health and Human Services
Centers for Medicare & Medicaid Services
N2-14-10, 7500 Security Boulevard,
Baltimore, MD 21244-1850
Phone:410 786-3017