(ii) Implementation specifications:
(A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
Tell Me More:
Some covered entities perform a variety of functions. If an entity, including a covered entity, provides clearinghouse functions within a larger organization, the ePHI of the clearinghouse must be isolated from the larger organization.
The Isolating Health Care Clearinghouse Functions Implementation Specification will apply to a limited number of organizations. For most, you will indicate “Not Applicable”
Questions to consider:
- Does the organization provide clearinghouse functions? If not, you can ignore this implementation specification. (However, you should be sure to document the decision making process).
- Does the organization have policies and procedures to isolate clearinghouse functions from the remainder of the organization?
- Is access to the clearinghouse ePHI monitored to ensure it is isolated? Auditing is vital to document the ePHI is actually isolated.
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-63 Recommendation for Electronic Authentication