Overview:
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement polices and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
Action Items:
1) Obtain and review policies and procedures related to protecting EPHI held by a health care clearinghouse from unauthorized access by the larger organization. Evaluate and determine whether reasonable and appropriate administrative, physical, and technical safeguards are in place to protect against unauthorized access by the larger organization.
Related Documents:
1) Policies and procedures related to protecting ePHI held by a health care clearinghouse from unauthorized access by the larger organization.
Additional Guidance:
This implementation specification only applies in the situation where a health care clearinghouse is part of a larger organization. In these situations, the health care clearinghouse is responsible for protecting the EPHI that it is processing.
Sample questions for covered entities to consider:
- Does the larger organization perform health care clearinghouse functions?
- If health care clearinghouse functions are performed, are policies and procedures implemented to protect EPHI from the other functions of the larger organization?
- Are additional technical safeguards needed to separate EPHI in information systems, used by the health care clearinghouse, to protect against unauthorized access by the larger organization?
Article ID: 444
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-isolation-health-clearinghouse-functions-164-308-a-4-ii-a-444.html