|
|
|
|
          |
|
|
|
Security Rule organizational arrangements (HIPAA) The regulatory language within the Security Rule's organizational arrangements section (45 CFR 164.314) focuses on two areas:
Requirements for the first are a part of the business associate standard of the Rule's administrative safeguards (and are discussed more fully in those entries); Requirements for the second are a part of the compartmentalization specification of the information access management standard of the administrative safeguards (and are discussed there). The Security Rule imposes a general requirement that electronic protected health information (PHI) be kept secure when it is stored and as it flows both within a covered entity and outside it to business associates. Internally, the covered entity must have formal, documented policies and procedures that assure this. Implementation of a regime of administrative, physical and technical safeguards within the entity is the core "organizational arrangement," in the broadest sense of that term -- even if it isn't what you find when you go to the specific passage of the CFR that carries that label. For PHI that travels outside, contractual or other arrangements must attempt to ensure that appropriate administrative, physical and technical safeguards are also in place. Here, as with access, use and disclosure of information among individuals inside the covered entity, there is a de facto minimum necessary standard to be met: transfers to "the outside" should be no more than necessary to achieve legitimate purposes. (These contracts were called "chain of trust partner agreements" in earlier versions of the Rule. That term is now gone, but it still conveys the aim of such contracts/arrangements very well.) Compartmentalization of information within an organization, to limit transfers to its uncovered component, are also part of achieving the minimum necessary standard. see also:
last modified: 23-Jul-2003 [RC] |
| Privacy Policy | Copyright | Disclaimer | Contact Info | ||