(ii) Implementation specifications:
(A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
Tell Me More:
Some covered entities perform a variety of functions. If an entity, including a covered entity, provides clearinghouse functions within a larger organization, the ePHI of the clearinghouse must be isolated from the larger organization.
The Isolating Health Care Clearinghouse Functions Implementation Specification will apply to a limited number of organizations. For most, you will indicate “Not Applicable”
Questions to consider:
- Does the organization provide clearinghouse functions? If not, you can ignore this implementation specification. (However, you should be sure to document the decision making process).
- Does the organization have policies and procedures to isolate clearinghouse functions from the remainder of the organization?
- Is access to the clearinghouse ePHI monitored to ensure it is isolated? Auditing is vital to document the ePHI is actually isolated.
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-63 Recommendation for Electronic Authentication
Latest posts by Michelle Caswell (see all)
- What to Know About OCR Pre-Audit Questionnaires - June 3, 2016
- HIPAA and Firearms. Balancing privacy with public safety. - February 1, 2016
- Cornell Faces Heavy Fines with Latest OCR Resolution Agreement - May 4, 2015