NRPM: Security and Electronic Signature Standards. List of Subjects in 45 CFR Part 142

08/12/1998

[Please label any written comments or e-mailed comments about this section with the subject: Reg Text]

Administrative practice and procedure, Health facilities, Health insurance, Hospitals, Medicaid, Medicare, Report and recordkeeping requirement.

45 CFR subtitle A, subchapter B, would be amended by adding part 42 to read as follows:

NOTE TO READER: This proposed rule is one of several proposed rules that are being published to implement the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996. We propose to establish a new 45 CFR Part 142. Proposed Subpart A--General Provisions is exactly the same in each rule unless we have added new sections or definitions to incorporate additional general information. The subparts that follow relate to the specific provisions announced separately in each proposed rule. When we publish the first final rule, each subsequent final rule will revise or add to the text that is set out in the first final rule.

PART 142--ADMINISTRATIVE REQUIREMENTS

Subpart A--General Provisions

Sec.

142.101 Statutory basis and purpose.

142.102 Applicability.

142.103 Definitions.

142.104 General requirements for health plans.

142.105 Compliance using a health care clearinghouse.

142.106 Effective dates of a modification to a standard or implementation specification.

Subpart B--Reserved

Subpart C--Security and Electronic Signature Standards

Sec.

142.302 Applicability and scope.

142.304 Definitions.

142.306 Rules for the security standard.

142.308 Security standard.

142.310 Electronic signature standard.

142.312 Effective date of the initial implementation of the security and electronic standards.

Authority: Sections 1173 and 1175 of the Social Security Act (42 U.S.C. 1320d-2 and 1320d-4).

Subpart A--General Provisions

§ 142.101 Statutory basis and purpose.

Sections 1171 through 1179 of the Social Security Act, 42 U.S.C. 1320d, as added by section 262 of the Health Insurance Portability and Accountability Act of 1996, require HHS to adopt national standards for the electronic exchange of health information in the health care system. The purpose of the sections of this part is to promote administrative simplification.

§ 142.102 Applicability.

(a) The standards adopted or designated under this part apply, in whole or in part, to the following:

(1) A health plan.

(2) A health care clearinghouse when doing the following:

(i) Transmitting a standard transaction (as defined in § 142.103) to a health care provider or health plan.

(ii) Receiving a standard transaction from a health care provider or health plan.

(iii) Transmitting and receiving the standard transactions when interacting with another health care clearinghouse.

(3) A health care provider when transmitting an electronic transaction as defined in § 142.103.

(b) Means of compliance are stated in greater detail in § 142.105.

§ 142.103 Definitions.

For purposes of this part, the following definitions apply:

Code set means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

Health care clearinghouse means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. The entity receives health care transactions from health care providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transaction to appropriate payers and clearinghouses. Billing services, repricing companies, community health management information systems, community health information systems, and “value-added” networks and switches are considered to be health care clearinghouses for purposes of this part.

Health care provider means a provider of services as defined in section 1861(u) of the Social Security Act, 42 U.S.C. 1395x, a provider of medical or other health services as defined in section 1861(s) of the Social Security Act, and any other person who furnishes or bills and is paid for health care services or supplies in the normal course of business.

Health information means any information, whether oral or recorded in any form or medium, that--

(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Health plan means an individual or group plan that provides, or pays the cost of, medical care. Health plan includes the following, singly or in combination:

(1) Group health plan. A group health plan is an employee welfare benefit plan (as currently defined in section 3(1) of the Employee Retirement Income and Security Act of 1974, 29 U.S.C. 1002(1)), including insured and self- insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, or otherwise, and--

(i) Has 50 or more participants; or

(ii) Is administered by an entity other than the employer that established and maintains the plan.

(2) Health insurance issuer. A health insurance issuer is an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.

(3) Health maintenance organization. A health maintenance organization is a Federally qualified health maintenance organization, an organization recognized as a health maintenance organization under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization.

(4) Part A or Part B of the Medicare program under title XVIII of the Social Security Act.

(5) The Medicaid program under title XIX of the Social Security Act.

(6) A Medicare supplemental policy (as defined in section 1882(g)(1) of the Social Security Act, 42 U.S.C. 1395ss).

(7) A long-term care policy, including a nursing home fixed-indemnity policy.

(8) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.

(9) The health care program for active military personnel under title 10 of the United States Code.

(10) The veterans health care program under 38 U.S.C. chapter 17.

(11) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in 10 U.S.C. 1072(4).

(12) The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

(13) The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89.

(14) Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care.

Medical care means the diagnosis, cure, mitigation, treatment, or prevention of disease, or amounts paid for the purpose of affecting any body structure or function of the body; amounts paid for transportation primarily for and essential to these items; and amounts paid for insurance covering the items and the transportation specified in this definition.

Participant means any employee or former employee of an employer, or any member or former member of an employee organization, who is or may become eligible to receive a benefit of any type from an employee benefit plan that covers employees of that employer or members of such an organization, or whose beneficiaries may be eligible to receive any of these benefits. "Employee" includes an individual who is treated as an employee under section 401(c)(1) of the Internal Revenue Code of 1986 (26 U.S.C. 401(c)(1)).

Small health plan means a group health plan or individual health plan with fewer than 50 participants.

Standard means a set of rules for a set of codes, data elements, transactions, or identifiers promulgated either by an organization accredited by the American National Standards Institute or HHS for the electronic transmission of health information.

Transaction means the exchange of information between two parties to carry out financial and administrative activities related to health care. It includes the following:

(1) Health claims or equivalent encounter information.

(2) Health care payment and remittance advice.

(3) Coordination of benefits.

(4) Health claims status.

(5) Enrollment and disenrollment in a health plan.

(6) Eligibility for a health plan.

(7) Health plan premium payments.

(8) Referral certification and authorization.

(9) First report of injury.

(10) Health claims attachments.

(11) Other transactions as the Secretary may prescribe by regulation.

§ 142.104 General requirements for health plans.

If a person conducts a transaction (as defined in § 142.103) with a health plan as a standard transaction, the following apply:

(a) The health plan may not refuse to conduct the transaction as a standard transaction.

(b) The health plan may not delay the transaction or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction.

(c) The health information transmitted and received in connection with the transaction must be in the form of standard data elements of health information.

(d) A health plan that conducts transactions through an agent must assure that the agent meets all the requirements of this part that apply to the health plan.

§ 142.105 Compliance using a health care clearinghouse.

(a) Any person or other entity subject to the requirements of this part may meet the requirements to accept and transmit standard transactions by either--

(1) Transmitting and receiving standard data elements; or

(2) Submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse and receiving standard data elements through the health care clearinghouse.

(b) The transmission, under contract, of nonstandard data elements between a health plan or a health care provider and its agent health care clearinghouse is not a violation of the requirements of this part.

§ 142.106 Effective dates of a modification to a standard or implementation specification.

HHS may modify a standard or implementation specification after the first year in which HHS requires the standard or implementation specification to be used, but not more frequently than once every 12 months. If HHS adopts a modification to a standard or implementation specification, the implementation date of the modified standard or implementation specification may be no earlier than 180 days following the adoption of the modification. HHS determines the actual date, taking into account the time needed to comply due to the nature and extent of the modification. HHS may extend the time for compliance for small health plans.

Subpart B--[Reserved]

Subpart C--Security and Electronic Signature Standards

§ 142.302 Applicability and scope.

The standards adopted or designated under this subpart apply, in whole or in part, to the following:

(a) A health plan.

(b) A health care clearinghouse or health care provider that takes one of the following actions:

(1) Processes any electronic transmission between any combination of health care entities listed in this section.

(2) Electronically maintains any health information used in an electronic transmission that has been sent or received between any combination of health care entities listed in this section.

§ 142.304 Definitions.

For purposes of this subpart, the following definitions apply:

Access refers to the ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resource.

Access control refers to a method of restricting access to resources, allowing only privileged entities access. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, and classification.

Authentication refers to the corroboration that an entity is the one claimed.

Contingency plan refers to a plan for responding to a system emergency. The plan includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster.

Encryption (or encipherment) refers to transforming confidential plaintext into ciphertext to protect it. An encryption algorithm combines plaintext with other values called keys, or ciphers, so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines. Decrypting data reverses the encryption algorithm process and makes the plaintext available for further processing.

Password refers to confidential authentication information composed of a string of characters.

Role-based access control (RBAC) is an alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization's structure and business activities. With RBAC, rather than attempting to map an organization's security policy to a relatively low-level set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.

Token refers to a physical item necessary for user identification when used in the context of authentication. For example, an electronic device that can be inserted in a door or a computer system to obtain access.

User-based access refers to a security mechanism used to grant users of a system access based upon the identity of the user.

§ 142.306 Rules for the security standard.

(a) An entity must apply the security standard described in § 142.308 to all health information pertaining to an individual that is electronically maintained or electronically transmitted.

(b) If a health care clearinghouse is part of a larger organization, it must assure that all health information pertaining to an individual is protected from unauthorized access by the larger organization.

§ 142.308 Security standard.

Each entity designated in § 142.302 must assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current, and must include, at a minimum, the following requirements and implementation features:

(a) Administrative procedures to guard data integrity, confidentiality, and availability (documented, formal practices to manage the selection and execution of security measures to protect data, and to manage the conduct of personnel in relation to the protection of data). These procedures include the following requirements:

(1) Certification. (The technical evaluation performed as part of, and in support of, the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements. This evaluation may be performed internally or by an external accrediting agency.)

(2) A chain of trust partner agreement (a contract entered into by two business partners in which the partners agree to electronically exchange data and protect the integrity and confidentiality of the data exchanged).

(3) A contingency plan, a routinely updated plan for responding to a system emergency, that includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster. The plan must include all of the following implementation features:

(i) An applications and data criticality analysis (an entity’s formal assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores, and/or transmits).

(ii) Data backup plan (a documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information).

(iii) A disaster recovery plan (the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure).

(iv) Emergency mode operation plan (the part of an overall contingency plan that contains a process enabling an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure).

(v) Testing and revision procedures (the documented process of periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary).

(4) Formal mechanism for processing records (documented policies and procedures for the routine, and nonroutine, receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information).

(5) Information access control (formal, documented policies and procedures for granting different levels of access to health care information) that includes all of the following implementation features:

(i) Access authorization (information-use policies and procedures that establish the rules for granting access, (for example, to a terminal, transaction, program, process, or some other user.)

(ii) Access establishment (security policies and rules that determine an entity’s initial right of access to a terminal, transaction, program, process or some other user).

(iii) Access modification (security policies and rules that determine the types of, and reasons for, modification to an entity’s established right of access, to a terminal, transaction, program, process, or some other user.)

(6) Internal audit (in-house review of the records of system activity (such as logins, file accesses, and security incidents) maintained by an organization).

(7) Personnel security (all personnel who have access to any sensitive information have the required authorities as well as all appropriate clearances) that includes all of the following implementation features:

(i) Assuring supervision of maintenance personnel by an authorized, knowledgeable person. These procedures are documented formal procedures and instructions for the oversight of maintenance personnel when the personnel are near health information pertaining to an individual.

(ii) Maintaining a record of access authorizations (ongoing documentation and review of the levels of access granted to a user, program, or procedure accessing health information).

(iii) Assuring that operating and maintenance personnel have proper access authorization (formal documented policies and procedures for determining the access level to be granted to individuals working on, or near, health information).

(iv) Establishing personnel clearance procedures (a protective measure applied to determine that an individual’s access to sensitive unclassified automated information is admissible).

(v) Establishing and maintaining personnel security policies and procedures (formal, documentation of procedures to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances).

(vi) Assuring that system users, including maintenance personnel, receive security awareness training.

(8) Security configuration management (measures, practices, and procedures for the security of information systems that must be coordinated and integrated with each other and other measures, practices, and procedures of the organization established in order to create a coherent system of security) that includes all of the following implementation features:

(i) Documentation (written security plans, rules, procedures, and instructions concerning all components of an entity’s security).

(ii) Hardware and software installation and maintenance review and testing for security features (formal, documented procedures for connecting and loading new equipment and programs, periodic review of the maintenance occurring on that equipment and programs, and periodic security testing of the security attributes of that hardware/software).

(iii) Inventory (the formal, documented identification of hardware and software assets).

(iv) Security testing (process used to determine that the security features of a system are implemented as designed and that they are adequate for a proposed applications environment; this process includes hands-on functional testing, penetration testing, and verification).

(v) Virus checking. (The act of running a computer program that identifies and disables:

(A) Another "virus" computer program, typically hidden, that attaches itself to other programs and has the ability to replicate.

(B) A code fragment (not an independent program) that reproduces by attaching to another program.

(C) A code embedded within a program that causes a copy of itself to be inserted in one or more other programs.)

(9) Security incident procedures (formal documented instructions for reporting security breaches) that include all of the following implementation features:

(i) Report procedures (documented formal mechanism employed to document security incidents).

(ii) Response procedures (documented formal rules or instructions for actions to be taken as a result of the receipt of a security incident report).

(10) Security management process (creation, administration, and oversight of policies to ensure the prevention, detection, containment, and correction of security breaches involving risk analysis and risk management). It includes the establishment of accountability, management controls (policies and education), electronic controls, physical security, and penalties for the abuse and misuse of its assets (both physical and electronic) that includes all of the following implementation features:

(i) Risk analysis, a process whereby cost-effective security/control measuresmay be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.

(ii) Risk management (process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk).

(iii) Sanction policies and procedures (statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment, and contract penalties). They must include employee, agent, and contractor notice of civil or criminal penalties for misuse or misappropriation of health information and must make employees, agents, and contractors aware that violations may result in notification to law enforcement officials and regulatory, accreditation, and licensure organizations.

(iv) Security policy (statement(s) of information values, protection responsibilities, and organization commitment for a system). This is the framework within which an entity establishes needed levels of information security to achieve the desired confidentiality goals.

(11) Termination procedures (formal documented instructions, which include appropriate security measures, for the ending of an employee’s employment or an internal/external user's access) that include procedures for all of the following implementation features:

(i) Changing locks (a documented procedure for changing combinations of locking mechanisms, both on a recurring basis and when personnel knowledgeable of combinations no longer have a need to know or require access to the protected facility or system).

(ii) Removal from access lists (physical eradication of an entity's access privileges).

(iii) Removal of user account(s) (termination or deletion of an individual’s access privileges to the information, services, and resources for which they currently have clearance, authorization, and need-to-know when such clearance, authorization and need-to-know no longer exists).

(iv) Turning in of keys, tokens, or cards that allow access (formal, documented procedure to ensure all physical items that allow a terminated employee to access a property, building, or equipment are retrieved from that employee, preferably before termination).

(12) Training (education concerning the vulnerabilities of the health information in an entity’s possession and ways to ensure the protection of that information) that includes all of the following implementation features:

(i) Awareness training for all personnel, including management personnel (in security awareness, including, but not limited to, password maintenance, incident reporting, and viruses and other forms of malicious software).

(ii) Periodic security reminders (employees, agents, and contractors are made aware of security concerns on an ongoing basis).

(iii) User education concerning virus protection (training relative to user awareness of the potential harm that can be caused by a virus, how to prevent the introduction of a virus to a computer system, and what to do if a virus is detected).

(iv) User education in importance of monitoring log-in success or failure and how to report discrepancies (training in the user’s responsibility to ensure the security of health care information).

(v) User education in password management (type of user training in the rules to be followed in creating and changing passwords and the need to keep them confidential).

(b) Physical safeguards to guard data integrity, confidentiality, and availability. Protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. It covers the use of locks, keys, and administrative measures used to control access to computer systems and facilities. Physical safeguards must include all of the following requirements and implementation features:

(1) Assigned security responsibility (practices established by management to manage and supervise the execution and use of security measures to protect data and to manage and supervise the conduct of personnel in relation to the protection of data).

(2) Media controls (formal, documented policies and procedures that govern the receipt and removal of hardware/software (such as diskettes and tapes) into and out of a facility) that include all of the following implementation features:

(i) Access control.

(ii) Accountability (the property that ensures that the actions of an entity can be traced uniquely to that entity).

(iii) Data backup (a retrievable, exact copy of information).

(iv) Data storage (the retention of health care information pertaining to an individual in an electonic format).

(v) Disposal (final disposition of electronic data, and/or the hardware on which electronic data is stored).

(3) Physical access controls (limited access) (formal, documented policies and procedures to be followed to limit physical access to an entity while ensuring that properly authorized access is allowed) that include all of the following implementation features:

(i) Disaster recovery (the process enabling an entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure).

(ii) An emergency mode operation (access controls in place that enable an entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure).

(iii) Equipment control (into and out of site) (documented security procedures for bringing hardware and software into and out of a facility and for maintaining a record of that equipment. This includes, but is not limited to, the marking, handling, and disposal of hardware and storage media.)

(iv) A facility security plan (a plan to safeguard the premises and building (exterior and interior) from unauthorized physical access and to safeguard the equipment therein from unauthorized physical access, tampering, and theft).

(v) Procedures for verifying access authorizations before granting physical access (formal, documented policies and instructions for validating the access privileges of an entity before granting those privileges).

(vi) Maintenance records (documentation of repairs and modifications to the physical components of a facility, such as hardware, software, walls, doors, and locks).

(vii) Need-to-know procedures for personnel access (a security principle stating that a user should have access only to the data he or she needs to perform a particular function).

(viii) Procedures to sign in visitors and provide escorts, if appropriate (formal documented procedure governing the reception and hosting of visitors).

(ix) Testing and revision (the restriction of program testing and revision to formally authorized personnel).

(4) Policy and guidelines on work station use (documented instructions/procedures delineating the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific computer terminal site or type of site, dependent upon the sensitivity of the information accessed from that site).

(5) A secure work station location (physical safeguards to eliminate or minimize the possibility of unauthorized access to information; for example, locating a terminal used to access sensitive information in a locked room and restricting access to that room to authorized personnel, not placing a terminal used to access patient information in any area of a doctor’s office where the screen contents can be viewed from the reception area).

(6) Security awareness training (information security awareness training programs in which all employees, agents, and contractors must participate, including, based on job responsibilities, customized education programs that focus on issues regarding use of health information and responsibilities regarding confidentiality and security).

(c) Technical security services to guard data integrity, confidentiality, and availability (the processes that are put in place to protect information and to control individual access to information). These services include the following requirements and implementation features:

(1) The technical security services must include all of the following requirements and the specified implementation features:

(i) Access control that includes:

(A) A procedure for emergency access (documented instructions for obtaining necessary information during a crisis), and

(B) At least one of the following implementation features:

(1) Context-based access (an access control procedure based on the context of a transaction (as opposed to being based on attributes of the initiator or target)).

(2) Role-based access.

(3) User-based access.

(C) The optional use of encryption.

(ii) Audit controls (mechanisms employed to record and examine system activity).

(iii) Authorization control (the mechanism for obtaining consent for the use and disclosure of health information) that includes at least one of the following implementation features:

(A) Role-based access.

(B) User-based access.

(iv) Data authentication. (The corroboration that data has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature.)

(v) Entity authentication (the corroboration that an entity is the one claimed) that includes:

(A) Automatic logoff (a security procedure that causes an electronic session to terminate after a predetermined time of inactivity, such as 15 minutes), and

(B) Unique user identifier (a combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity).

(C) At least one of the following implementation features:

(1) Biometric identification (an identification system that identifies a human from a measurement of a physical feature or repeatable action of the individual (for example, hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature)).

(2) Password.

(3) Personal identification number (PIN) (a number or code assigned to an individual and used to provide verification of identity).

(4) A telephone callback procedure (method of authenticating the identity of the receiver and sender of information through a series of "questions" and "answers" sent back and forth establishing the identity of each). For example, when the communicating systems exchange a series of identification codes as part of the initiation of a session to exchange information, or when a host computer disconnects the initial session before the authentication is complete, and the host calls the user back to establish a session at a predetermined telephone number.

(5) Token.

(2) Reserved.

(d) Technical security mechanisms (processes that are put in place to guard against unauthorized access to data that is transmitted over a communications network).

(1) If an entity uses communications or network controls, its security standards for technical security mechanisms must include the following:

(i) The following implementation features:

(A) Integrity controls (a security mechanism employed to ensure the validity of the information being electronically transmitted or stored).

(B) Message authentication (ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent).

(ii) One of the following implementation features:

(A) Access controls (protection of sensitive communications transmissions over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient).

(B) Encryption.

(2) If an entity uses network controls (to protect sensitive communication that is transmitted electronically over open networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient), its technical security mechanisms must include all of the following implementation features:

(i) Alarm. (In communication systems, any device that can sense an abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality. The signal may be in any desired form ranging from a simple contact closure (or opening) to a time-phased automatic shutdown and restart cycle.)

(ii) Audit trail (the data collected and potentially used to facilitate a security audit).

(iii) Entity authentication (a communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs, and processes).

(iv) Event reporting (a network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information).

§ 142.310 Electronic signature standard.

(a) General rule.

If an entity elects to use an electronic signature in a transaction as defined in § 142.103, or if an electronic signature is required by a transaction standard adopted by the Secretary, the entity must apply the electronic signature standard described in paragraph (b) of this section to that transaction.

(b) Standard.

(1) An electronic signature is the attribute affixed to an electronic document to bind it to a particular entity. An electronic signature secures the user authentication (proof of claimed identity) at the time the signature is generated; creates the logical manifestation of signature (including the possibility for multiple parties to sign a document and have the order of application recognized and proven); supplies additional information such as time stamp and signature purpose specific to that user; and ensures the integrity of the signed document to enable transportability of data, interoperability, independent verifiability, and continuity of signature capability. Verifying a signature on a document verifies the integrity of the document and associated attributes and verifies the identity of the signer.

(2) The standard for electronic signature is a digital signature. A "digital signature" is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters so that the identity of the signer and the integrity of the data can be verified.

(c) Required implementation features.

If an entity uses electronic signatures, the signature method must assure all of the following features:

(1) Message integrity (the assurance of unaltered transmission and receipt of a message from the sender to the intended recipient).

(2) Nonrepudiation (strong and substantial evidence of the identity of the signer of a message, and of message integrity, sufficient to prevent a party from successfully denying the origin, submission, or delivery of the message and the integrity of its contents).

(3) User authentication (the provision of assurance of the claimed identity of an entity).

(d) Optional implementation features.

If an entity uses electronic signatures, the entity may also use, among others, any of the following implementation features:

(1) Ability to add attributes (one possible capability of a digital signature technology; for example, the ability to add a time stamp as part of a digital signature).

(2) Continuity of signature capability (the concept that the public verification of a signature must not compromise the ability of the signer to apply additional secure signatures at a later date).

(3) Countersignatures. (The capability to prove the order of application of signatures. This is analogous to the normal business practice of countersignatures, where a party signs a document that has already been signed by another party.)

(4) Independent verifiability (the capability to verify the signature without the cooperation of the signer).

(5) Interoperability (the applications used on either side of a communication, between trading partners and/or between internal components of an entity, are able to read and correctly interpret the information communicated from one to the other).

(6) Multiple signatures. (With this feature, multiple parties are able to sign a document. Conceptually, multiple signatures are simply appended to the document.)

(7) Transportability of data (the ability of a signed document to be transported over an insecure network to another system, while maintaining the integrity of the document, including content, signatures, signature attributes, and (if present) document attributes).

§ 142.312 Effective date of the initial implementation of the security and electronic signature standards.

(a) General rules.

(1) Except for a small health plan (defined at § 142.103), each entity designated in § 142.302 must comply with the requirements of this subpart by [24 months after the effective date of the final rule in the Federal Register].

(2) A delay in an effective date for using a standard transaction described in this part does not delay the effective dates described in paragraphs (a)(1) and (b) of this section.

(3) The requirements of the security standard may be implemented over time. Implementation must be completed by the applicable effective date.

(b) Small health plans.

A small health plan must comply with the requirements of this subpart by [36 months after the effective date of the final rule in the Federal Register].

Authority: Sections 1173 and 1175 of the Social Security Act (42 U.S.C. 1320d-2 and 1320d-4).


Dated: July 15, 1998

Donna E. Shalala

Secretary.