View Rule

Printer-Friendly Version Download RIN Data in XML

HHS/CMS

RIN: 0938-AI57

Publication ID: Spring 2003

Title: Security Standards (CMS-0049-F)
Abstract: This final rule is being jointly developed by CMS and the Department of Commerce. This final rule adopts standards for the security of certain electronic, individually identifiable health information of health plans, health care clearinghouses, and certain health care providers. It implements administrative simplification initiatives that have a national scope beyond the Medicare and Medicaid programs.
Agency: Department of Health and Human Services(HHS)	Priority: Other Significant
RIN Status: Previously published in the Unified Agenda	Agenda Stage of Rulemaking: Completed Actions
Major: Yes	Unfunded Mandates: No
CFR Citation: 45 CFR 162
Legal Authority: PL 104-191 42 USC 1320d-2(d)

Legal Deadline:

Action	Source	Description	Date
Final	Statutory		02/21/1998

Statement of Need: The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1966 required the Department to adopt standards for security. Currently, no standard measures exist in the health care industry that address all aspects of the security of electronic health information while it is being stored or transmitted between entities. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information.

Summary of the Legal Basis: This final rule implements some of the requirements of the Administrative Simplification subtitle of HIPAA.

Alternatives: Existing security standards do not encompass all the requirements set forth in the law.

Anticipated Costs and Benefits: Although we cannot determine the specific economic impact of the standards in this final rule (and individually each standard may not have a significant impact), we are unable to estimate the cost of implementing the security standards as implementation needs will vary dependent upon each entity's risk assessment and upon what is already in place. In addition, it is important to recognize that security is not a one-time project, but rather an on-going, dynamic process. However, the overall impact analysis makes clear that, collectively, all the HIPAA standards will have a significant impact of over $100 million on the economy. We believe that the overall Administrative Simplification costs will be offset by future savings. Implementation of the security standards will provide confidentiality, integrity and availability protections to certain personaly identifiable health information. The synergistic effect of the employment of the security standards will also enhance all aspects of HIPAA's Administrative Simplification requirements.

Risks: The security of electronic protected health information is, and has been for some time, a basic business requirement that health care entities ignore at their peril. Instances of "hacking" and other security violations may be widely publicized, and can seriously damage an institution's community standing. Appropriate security protections are crucial for encouraging the growth and use of electronic data interchange.

Timetable:

Action	Date	FR Cite
NPRM	08/12/1998	63 FR 43242
NPRM Comment Period End	10/13/1998
Final Rule	02/20/2003	68 FR 8334

Regulatory Flexibility Analysis Required: Yes	Government Levels Affected: Federal, Local, State, Tribal
Small Entities Affected: Businesses	Federalism: No
Included in the Regulatory Plan: Yes
Agency Contact: Barbara Clark Office of Information Services Department of Health and Human Services Centers for Medicare & Medicaid Services N2-14-10, 7500 Security Boulevard, Baltimore, MD 21244-1850 Phone:410 786-3017