Section






[Code of Federal Regulations]

[Title 45, Volume 1]

[Revised as of October 1, 2006]

From the U.S. Government Printing Office via GPO Access

[CITE: 45CFR164.312]



[Page 747-748]

 

                        TITLE 45--PUBLIC WELFARE

 

                    SUBTITLE A--DEPARTMENT OF HEALTH

                           AND HUMAN SERVICES

 

PART 164_SECURITY AND PRIVACY--Table of Contents

 

Subpart C_Security Standards for the Protection of Electronic Protected 

                           Health Information

 

Sec.  164.312  Technical safeguards.



    A covered entity must, in accordance with Sec.  164.306:

    (a)(1) Standard: Access control. Implement technical policies and 

procedures for electronic information systems that maintain electronic 

protected health information to allow access only to those persons or 

software programs that have been granted access rights as specified in 

Sec.  164.308(a)(4).

    (2) Implementation specifications:

    (i) Unique user identification (Required). Assign a unique name and/

or number for identifying and tracking user identity.

    (ii) Emergency access procedure (Required). Establish (and implement 

as



[[Page 748]]



needed) procedures for obtaining necessary electronic protected health 

information during an emergency.

    (iii) Automatic logoff (Addressable). Implement electronic 

procedures that terminate an electronic session after a predetermined 

time of inactivity.

    (iv) Encryption and decryption (Addressable). Implement a mechanism 

to encrypt and decrypt electronic protected health information.

    (b) Standard: Audit controls. Implement hardware, software, and/or 

procedural mechanisms that record and examine activity in information 

systems that contain or use electronic protected health information.

    (c)(1) Standard: Integrity. Implement policies and procedures to 

protect electronic protected health information from improper alteration 

or destruction.

    (2) Implementation specification: Mechanism to authenticate 

electronic protected health information (Addressable). Implement 

electronic mechanisms to corroborate that electronic protected health 

information has not been altered or destroyed in an unauthorized manner.

    (d) Standard: Person or entity authentication. Implement procedures 

to verify that a person or entity seeking access to electronic protected 

health information is the one claimed.

    (e)(1) Standard: Transmission security. Implement technical security 

measures to guard against unauthorized access to electronic protected 

health information that is being transmitted over an electronic 

communications network.

    (2) Implementation specifications:

    (i) Integrity controls (Addressable). Implement security measures to 

ensure that electronically transmitted electronic protected health 

information is not improperly modified without detection until disposed 

of.

    (ii) Encryption (Addressable). Implement a mechanism to encrypt 

electronic protected health information whenever deemed appropriate.