Healthcare compliance rule 45 CFR 164 is part of the Department of Health and Human Services administrative data standards and related requirements. This regulation is applicable for organizations designated as a health plan, health care provider, health care clearinghouse or business associate that transmits any health information in electronic form.
The general requirements include:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
- Ensure compliance with this sub-part by its workforce.
Section 316 of this healthcare regulation indicates that healthcare-related “Covered Entities” must:
- Implement reasonable and appropriate policies and procedures designed to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.
- Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
- Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
For more information: http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl