§142.302,304,306

§ 142.302 Applicability and scope.

The standards adopted or designated under this subpart apply, in whole or in part, to the following:

(b) A health care clearinghouse or health care provider that takes one of the following actions:

(1) Processes any electronic transmission between any combination of health care entities listed in this section.

(2) Electronically maintains any health information used in an electronic transmission that has been sent or received between any combination of health care entities listed in this section.

§ 142.304 Definitions.

For purposes of this subpart, the following definitions apply:

Access refers to the ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resource.

Access control refers to a method of restricting access to resources, allowing only privileged entities access. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, and classification.

Authentication refers to the corroboration that an entity is the one claimed.

Contingency plan refers to a plan for responding to a system emergency. The plan includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster.

Encryption (or encipherment) refers to transforming confidential plaintext into ciphertext to protect it. An encryption algorithm combines plaintext with other values called keys, or ciphers, so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines. Decrypting data reverses the encryption algorithm process and makes the plaintext available for further processing.

Password refers to confidential authentication information composed of a string of characters.

Role-based access control (RBAC) is an alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization's structure and business activities. With RBAC, rather than attempting to map an organization's security policy to a relatively low-level set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.

Token refers to a physical item necessary for user identification when used in the context of authentication. For example, an electronic device that can be inserted in a door or a computer system to obtain access.

User-based access refers to a security mechanism used to grant users of a system access based upon the identity of the user.

§ 142.306 Rules for the security standard.

(a) An entity must apply the security standard described in § 142.308 to all health information pertaining to an individual that is electronically maintained or electronically transmitted.

(b) If a health care clearinghouse is part of a larger organization, it must assure that all health information pertaining to an individual is protected from unauthorized access by the larger organization.