(ii) Implementation specifications:

 (A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

Tell Me More:

Some covered entities perform a variety of functions. If an entity, including a covered entity, provides clearinghouse functions within a larger organization, the ePHI of the clearinghouse must be isolated from the larger organization.

The Isolating Health Care Clearinghouse Functions Implementation Specification will apply to a limited number of organizations.  For most, you will indicate “Not Applicable”

Questions to consider:

  • Does the organization provide clearinghouse functions? If not, you can ignore this implementation specification. (However, you should be sure to document the decision making process).
  • Does the organization have policies and procedures to isolate clearinghouse functions from the remainder of the organization?
  • Is access to the clearinghouse ePHI monitored to ensure it is isolated? Auditing is vital to document the ePHI is actually isolated.
 References:
Series Navigation<< 164.308(a)(3)(ii)(B) Standard: Workforce security – Workforce clearance procedure164.308(a)(6)(i) Administrative safeguards – Standard: Security incident procedures >>