In § 164.518(c) of the NPRM, we proposed to require covered entities to put in place administrative, technical, and physical safeguards to protect the privacy of protected health information. We made reference in the preamble to similar requirements proposed for certain electronic information in the Notice of Proposed Rulemaking entitled the Security and Electronic Signature Standards (HCFA-0049-P). We stated that we were proposing parallel and consistent requirements for safeguarding the privacy of protected health information. In § 164.518(c)(3) of the NPRM, we required covered entities to have safeguards to ensure that information was not used in violation of the requirements of this subpart or by people who did not have proper authorization to access the information.
We do not change the basic proposed requirements that covered entities have administrative, technical and physical safeguards to protect the privacy of protected health information. We combine the proposed requirements into a single standard that requires covered entities to safeguard protected health information from accidental or intentional use or disclosure that is a violation of the requirements of this rule and to protect against the inadvertent disclosure of protected health information to persons other than the intended recipient. Limitations on access to protected health information by the covered entities workforce will also be covered by the policies and procedures for"minimum necessary" use of protected health information, pursuant to § 164.514(d). We expect these provisions to work in tandem.
We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is "scalable.") Examples of appropriate safeguards include requiring that documents containing protected health information be shredded prior to disposal, and requiring that doors to medical records departments (or to file cabinets housing such records) remain locked and limiting which personnel are authorized to have the key or pass-code. We intend this to be a common sense, scalable, standard. We do not require covered entities to guarantee the safety of protected health information against all assaults. Theft of protected health information may or may not signal a violation of this rule, depending on the circumstances and whether the covered entity had reasonable policies to protect against theft. Organizations such as the Association for Testing and Materials (ASTM) and the American Health Information Management Association (AHIMA) have developed a body of recommended practices for handling of protected health information that covered entities may find useful.
We note that the proposed HIPAA Security Standards would require covered entities to safeguard the privacy and integrity of health information. For electronic information, compliance with both regulations will be required.
In § 164.518(c)(2) of the NPRM we proposed requirements for verification procedures to establish identity and authority for permitted disclosures of protected health information.
In the final rule, this material has been moved to § 164.514(h).