Section



[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2003]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.312]

[Page 714-715]
 
                        TITLE 45--PUBLIC WELFARE
 
                           AND HUMAN SERVICES
 
PART 164--SECURITY AND PRIVACY--Table of Contents
 
Subpart C--Security Standards for the Protection of Electronic Protected 
                           Health Information
 
Sec. 164.312  Technical safeguards.

    A covered entity must, in accordance with Sec. 164.306:
    (a)(1) Standard: Access control. Implement technical policies and 
procedures for electronic information systems

[[Page 715]]

that maintain electronic protected health information to allow access 
only to those persons or software programs that have been granted access 
rights as specified in Sec. 164.308(a)(4).
    (2) Implementation specifications:
    (i) Unique user identification (Required). Assign a unique name and/
or number for identifying and tracking user identity.
    (ii) Emergency access procedure (Required). Establish (and implement 
as needed) procedures for obtaining necessary electronic protected 
health information during an emergency.
    (iii) Automatic logoff (Addressable). Implement electronic 
procedures that terminate an electronic session after a predetermined 
time of inactivity.
    (iv) Encryption and decryption (Addressable). Implement a mechanism 
to encrypt and decrypt electronic protected health information.
    (b) Standard: Audit controls. Implement hardware, software, and/or 
procedural mechanisms that record and examine activity in information 
systems that contain or use electronic protected health information.
    (c)(1) Standard: Integrity. Implement policies and procedures to 
protect electronic protected health information from improper alteration 
or destruction.
    (2) Implementation specification: Mechanism to authenticate 
electronic protected health information (Addressable). Implement 
electronic mechanisms to corroborate that electronic protected health 
information has not been altered or destroyed in an unauthorized manner.
    (d) Standard: Person or entity authentication. Implement procedures 
to verify that a person or entity seeking access to electronic protected 
health information is the one claimed.
    (e)(1) Standard: Transmission security. Implement technical security 
measures to guard against unauthorized access to electronic protected 
health information that is being transmitted over an electronic 
communications network.
    (2) Implementation specifications:
    (i) Integrity controls (Addressable). Implement security measures to 
ensure that electronically transmitted electronic protected health 
information is not improperly modified without detection until disposed 
of.
    (ii) Encryption (Addressable). Implement a mechanism to encrypt 
electronic protected health information whenever deemed appropriate.