This entry is part 50 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

Tell Me More:

Some covered entities perform a variety of functions. If an entity, including a covered entity, provides clearinghouse functions within a larger organization, the ePHI of the clearinghouse must be isolated from the larger organization.

The Isolating Health Care Clearinghouse Functions Implementation Specification will apply to a limited number of organizations.  For most, you will indicate “Not Applicable”

Questions to consider:

  • Does the organization provide clearinghouse functions? If not, you can ignore this implementation specification. (However, you should be sure to document the decision making process).
  • Does the organization have policies and procedures to isolate clearinghouse functions from the remainder of the organization?
  • Is access to the clearinghouse ePHI monitored to ensure it is isolated? Auditing is vital to document the ePHI is actually isolated.
Series Navigation<< 164.308(a)(3)(ii)(B) Standard: Workforce security – Workforce clearance procedure164.308(a)(6)(i) Administrative safeguards – Standard: Security incident procedures >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.