0000985
45 CFR Part 162 - Administrative Requirements
US Department of Health and Human Services
Regulation or Statute
Free
45 CFR Part 162
45 CFR Part 162 - Administrative Requirements
2000-08-17
The document as a whole was last reviewed and released on 2020-04-14T00:00:00-0700.
0000985
Free
US Department of Health and Human Services
Regulation or Statute
45 CFR Part 162
45 CFR Part 162 - Administrative Requirements
2000-08-17
The document as a whole was last reviewed and released on 2020-04-14T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2023 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within 45 CFR Part 162 - Administrative Requirements that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for 45 CFR Part 162 - Administrative Requirements are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [A covered entity that is a covered health care provider must: If it has been assigned NPIs for one or more subparts, comply with the requirements of paragraphs (a)(2) through (a)(5) of this section with respect to each of those NPIs. § 162.410(a)(6) Use of a business associate. A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following: Comply with all applicable requirements of this part. § 162.923(c)(1)] | Establish/Maintain Documentation | Preventive | |
| Perform automated processes according to business requirements. CC ID 14325 | Business Processes | Preventive | |
| Conduct transactions, as necessary. CC ID 14378 [General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard adopted under this part (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction. § 162.923(a) General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard adopted under this part (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction. § 162.923(a) If an entity requests a health plan to conduct a transaction as a standard transaction, the health plan must do so. § 162.925(a)(1)] | Business Processes | Preventive | |
| Implement data content requirements and data condition requirements for all transactions. CC ID 14410 [{data content requirements} Exception for direct data entry transactions. A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard. § 162.923(b)] | Business Processes | Preventive | |
| Keep code sets open until resolved. CC ID 14409 [Code sets. A health plan must meet each of the following requirements: Keep code sets for the current billing period and appeals periods still open to processing under the terms of the health plan's coverage. § 162.925(c)(2)] | Business Processes | Preventive | |
| Refrain from using incentives to conduct transactions. CC ID 14408 [{do not use} A health plan may not offer an incentive for a health care provider to conduct a transaction covered by this part as a transaction described under the exception provided for in §162.923(b). § 162.925(a)(4)] | Business Processes | Preventive | |
| Refrain from charging fees to conduct transactions. CC ID 14415 [A health plan that operates as a health care clearinghouse, or requires an entity to use a health care clearinghouse to receive, process, or transmit a standard transaction may not charge fees or costs in excess of the fees or costs for normal telecommunications that the entity incurs when it directly transmits, or receives, a standard transaction to, or from, a health plan. § 162.925(a)(5)] | Business Processes | Preventive | |
| Refrain from rejecting standard transactions. CC ID 14406 [A health plan may not delay or reject a transaction, or attempt to adversely affect the other entity or the transaction, because the transaction is a standard transaction. § 162.925(a)(2)] | Business Processes | Preventive | |
| Refrain from rejecting transactions containing extra data. CC ID 14407 [{do not need} {not used} A health plan may not reject a standard transaction on the basis that it contains data elements not needed or used by the health plan (for example, coordination of benefits information). § 162.925(a)(3)] | Business Processes | Preventive | |
| Translate standard transactions, as necessary. CC ID 14405 [When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions: Receive a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) from the covered entity and translate it into a standard transaction for transmission on behalf of the covered entity. § 162.930 ¶ 1(b)] | Business Processes | Preventive | |
| Translate nonstandard transactions, as necessary. CC ID 14404 [When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions: Receive a standard transaction on behalf of the covered entity and translate it into a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) for transmission to the covered entity. § 162.930 ¶ 1(a)] | Business Processes | Preventive | |
| Process transactions, as necessary. CC ID 14403 [Code sets. A health plan must meet each of the following requirements: Accept and promptly process any standard transaction that contains codes that are valid, as provided in subpart J of this part. § 162.925(c)(1)] | Business Processes | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
| Archive appropriate records, logs, and database tables. CC ID 06321 [Coordination of benefits. If a health plan receives a standard transaction and coordinates benefits with another health plan (or another payer), it must store the coordination of benefits data it needs to forward the standard transaction to the other health plan (or other payer). § 162.925(b)] | Records Management | Preventive | |
| Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Establish/Maintain Documentation | Preventive | |
| Include standards for each data element in the secure record transaction standard. CC ID 06094 | Establish/Maintain Documentation | Preventive | |
| Notify the supervisory authority of any changes to the required data elements. CC ID 14366 [A covered entity that is a covered health care provider must: Communicate to the NPS any changes in its required data elements in the NPS within 30 days of the change. § 162.410(a)(4)] | Communicate | Corrective | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Monitor and Evaluate Occurrences | Detective | |
| Validate transactions using identifiers and credentials. CC ID 13203 [A covered entity that is a covered health care provider must: Disclose its NPI, when requested, to any entity that needs the NPI to identify that covered health care provider in a standard transaction. § 162.410(a)(3) An organization covered health care provider that has as a member, employs, or contracts with, an individual health care provider who is not a covered entity and is a prescriber, must require such health care provider to— To the extent the prescriber writes a prescription while acting within the scope of the prescriber's relationship with the organization, disclose the NPI upon request to any entity that needs it to identify the prescriber in a standard transaction. § 162.410(b)(2)] | Technical Security | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [A covered entity that is a covered health care provider must: Obtain, by application if necessary, an NPI from the National Provider System (NPS) for itself or for any subpart of the covered entity that would be a covered health care provider if it were a separate legal entity. A covered entity may obtain an NPI for any other subpart that qualifies for the assignment of an NPI. § 162.410(a)(1) An organization covered health care provider that has as a member, employs, or contracts with, an individual health care provider who is not a covered entity and is a prescriber, must require such health care provider to— Obtain an NPI from the National Plan and Provider Enumeration System (NPPES); and § 162.410(b)(1)] | Technical Security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Human Resources Management | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical Security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Employ unique identifiers. CC ID 01273 [A covered entity that is a covered health care provider must: Use the NPI it obtained from the NPS to identify itself on all standard transactions that it conducts where its health care provider identifier is required. § 162.410(a)(2) A covered entity that is a covered health care provider must: If it uses one or more business associates to conduct standard transactions on its behalf, require its business associate(s) to use its NPI and other NPIs appropriately as required by the transactions that the business associate(s) conducts on its behalf. § 162.410(a)(5) A health plan must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required. § 162.412(a) A health care clearinghouse must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required. § 162.414 ¶ 1 A covered entity must use the standard unique employer identifier (EIN) of the appropriate employer in standard transactions that require an employer identifier to identify a person or entity as an employer, including where situationally required. § 162.610(b)] | Testing | Detective | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following: Require any agent or subcontractor to comply with all applicable requirements of this part. § 162.923(c)(2)] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Perform automated processes according to business requirements. CC ID 14325 | Operational management | Preventive | |
| Conduct transactions, as necessary. CC ID 14378 [General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard adopted under this part (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction. § 162.923(a) General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard adopted under this part (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction. § 162.923(a) If an entity requests a health plan to conduct a transaction as a standard transaction, the health plan must do so. § 162.925(a)(1)] | Operational management | Preventive | |
| Implement data content requirements and data condition requirements for all transactions. CC ID 14410 [{data content requirements} Exception for direct data entry transactions. A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard. § 162.923(b)] | Operational management | Preventive | |
| Keep code sets open until resolved. CC ID 14409 [Code sets. A health plan must meet each of the following requirements: Keep code sets for the current billing period and appeals periods still open to processing under the terms of the health plan's coverage. § 162.925(c)(2)] | Operational management | Preventive | |
| Refrain from using incentives to conduct transactions. CC ID 14408 [{do not use} A health plan may not offer an incentive for a health care provider to conduct a transaction covered by this part as a transaction described under the exception provided for in §162.923(b). § 162.925(a)(4)] | Operational management | Preventive | |
| Refrain from charging fees to conduct transactions. CC ID 14415 [A health plan that operates as a health care clearinghouse, or requires an entity to use a health care clearinghouse to receive, process, or transmit a standard transaction may not charge fees or costs in excess of the fees or costs for normal telecommunications that the entity incurs when it directly transmits, or receives, a standard transaction to, or from, a health plan. § 162.925(a)(5)] | Operational management | Preventive | |
| Refrain from rejecting standard transactions. CC ID 14406 [A health plan may not delay or reject a transaction, or attempt to adversely affect the other entity or the transaction, because the transaction is a standard transaction. § 162.925(a)(2)] | Operational management | Preventive | |
| Refrain from rejecting transactions containing extra data. CC ID 14407 [{do not need} {not used} A health plan may not reject a standard transaction on the basis that it contains data elements not needed or used by the health plan (for example, coordination of benefits information). § 162.925(a)(3)] | Operational management | Preventive | |
| Translate standard transactions, as necessary. CC ID 14405 [When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions: Receive a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) from the covered entity and translate it into a standard transaction for transmission on behalf of the covered entity. § 162.930 ¶ 1(b)] | Operational management | Preventive | |
| Translate nonstandard transactions, as necessary. CC ID 14404 [When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions: Receive a standard transaction on behalf of the covered entity and translate it into a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) for transmission to the covered entity. § 162.930 ¶ 1(a)] | Operational management | Preventive | |
| Process transactions, as necessary. CC ID 14403 [Code sets. A health plan must meet each of the following requirements: Accept and promptly process any standard transaction that contains codes that are valid, as provided in subpart J of this part. § 162.925(c)(1)] | Operational management | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Notify the supervisory authority of any changes to the required data elements. CC ID 14366 [A covered entity that is a covered health care provider must: Communicate to the NPS any changes in its required data elements in the NPS within 30 days of the change. § 162.410(a)(4)] | Records management | Corrective | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [A covered entity that is a covered health care provider must: If it has been assigned NPIs for one or more subparts, comply with the requirements of paragraphs (a)(2) through (a)(5) of this section with respect to each of those NPIs. § 162.410(a)(6) Use of a business associate. A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following: Comply with all applicable requirements of this part. § 162.923(c)(1)] | Operational management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
| Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Preventive | |
| Include standards for each data element in the secure record transaction standard. CC ID 06094 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following: Require any agent or subcontractor to comply with all applicable requirements of this part. § 162.923(c)(2)] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Detective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Archive appropriate records, logs, and database tables. CC ID 06321 [Coordination of benefits. If a health plan receives a standard transaction and coordinates benefits with another health plan (or another payer), it must store the coordination of benefits data it needs to forward the standard transaction to the other health plan (or other payer). § 162.925(b)] | Records management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [A covered entity that is a covered health care provider must: Obtain, by application if necessary, an NPI from the National Provider System (NPS) for itself or for any subpart of the covered entity that would be a covered health care provider if it were a separate legal entity. A covered entity may obtain an NPI for any other subpart that qualifies for the assignment of an NPI. § 162.410(a)(1) An organization covered health care provider that has as a member, employs, or contracts with, an individual health care provider who is not a covered entity and is a prescriber, must require such health care provider to— Obtain an NPI from the National Plan and Provider Enumeration System (NPPES); and § 162.410(b)(1)] | Technical security | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Validate transactions using identifiers and credentials. CC ID 13203 [A covered entity that is a covered health care provider must: Disclose its NPI, when requested, to any entity that needs the NPI to identify that covered health care provider in a standard transaction. § 162.410(a)(3) An organization covered health care provider that has as a member, employs, or contracts with, an individual health care provider who is not a covered entity and is a prescriber, must require such health care provider to— To the extent the prescriber writes a prescription while acting within the scope of the prescriber's relationship with the organization, disclose the NPI upon request to any entity that needs it to identify the prescriber in a standard transaction. § 162.410(b)(2)] | Records management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ unique identifiers. CC ID 01273 [A covered entity that is a covered health care provider must: Use the NPI it obtained from the NPS to identify itself on all standard transactions that it conducts where its health care provider identifier is required. § 162.410(a)(2) A covered entity that is a covered health care provider must: If it uses one or more business associates to conduct standard transactions on its behalf, require its business associate(s) to use its NPI and other NPIs appropriately as required by the transactions that the business associate(s) conducts on its behalf. § 162.410(a)(5) A health plan must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required. § 162.412(a) A health care clearinghouse must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required. § 162.414 ¶ 1 A covered entity must use the standard unique employer identifier (EIN) of the appropriate employer in standard transactions that require an employer identifier to identify a person or entity as an employer, including where situationally required. § 162.610(b)] | Technical security | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Notify the supervisory authority of any changes to the required data elements. CC ID 14366 [A covered entity that is a covered health care provider must: Communicate to the NPS any changes in its required data elements in the NPS within 30 days of the change. § 162.410(a)(4)] | Records management | Communicate | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [A covered entity that is a covered health care provider must: Use the NPI it obtained from the NPS to identify itself on all standard transactions that it conducts where its health care provider identifier is required. § 162.410(a)(2) A covered entity that is a covered health care provider must: If it uses one or more business associates to conduct standard transactions on its behalf, require its business associate(s) to use its NPI and other NPIs appropriately as required by the transactions that the business associate(s) conducts on its behalf. § 162.410(a)(5) A health plan must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required. § 162.412(a) A health care clearinghouse must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider's identifier is required. § 162.414 ¶ 1 A covered entity must use the standard unique employer identifier (EIN) of the appropriate employer in standard transactions that require an employer identifier to identify a person or entity as an employer, including where situationally required. § 162.610(b)] | Technical security | Testing | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Monitor and Evaluate Occurrences | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [A covered entity that is a covered health care provider must: Obtain, by application if necessary, an NPI from the National Provider System (NPS) for itself or for any subpart of the covered entity that would be a covered health care provider if it were a separate legal entity. A covered entity may obtain an NPI for any other subpart that qualifies for the assignment of an NPI. § 162.410(a)(1) An organization covered health care provider that has as a member, employs, or contracts with, an individual health care provider who is not a covered entity and is a prescriber, must require such health care provider to— Obtain an NPI from the National Plan and Provider Enumeration System (NPPES); and § 162.410(b)(1)] | Technical security | Technical Security | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Human Resources Management | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Technical Security | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Technical Security | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [A covered entity that is a covered health care provider must: If it has been assigned NPIs for one or more subparts, comply with the requirements of paragraphs (a)(2) through (a)(5) of this section with respect to each of those NPIs. § 162.410(a)(6) Use of a business associate. A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following: Comply with all applicable requirements of this part. § 162.923(c)(1)] | Operational management | Establish/Maintain Documentation | |
| Perform automated processes according to business requirements. CC ID 14325 | Operational management | Business Processes | |
| Conduct transactions, as necessary. CC ID 14378 [General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard adopted under this part (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction. § 162.923(a) General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard adopted under this part (or within the same covered entity), using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction. § 162.923(a) If an entity requests a health plan to conduct a transaction as a standard transaction, the health plan must do so. § 162.925(a)(1)] | Operational management | Business Processes | |
| Implement data content requirements and data condition requirements for all transactions. CC ID 14410 [{data content requirements} Exception for direct data entry transactions. A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard. § 162.923(b)] | Operational management | Business Processes | |
| Keep code sets open until resolved. CC ID 14409 [Code sets. A health plan must meet each of the following requirements: Keep code sets for the current billing period and appeals periods still open to processing under the terms of the health plan's coverage. § 162.925(c)(2)] | Operational management | Business Processes | |
| Refrain from using incentives to conduct transactions. CC ID 14408 [{do not use} A health plan may not offer an incentive for a health care provider to conduct a transaction covered by this part as a transaction described under the exception provided for in §162.923(b). § 162.925(a)(4)] | Operational management | Business Processes | |
| Refrain from charging fees to conduct transactions. CC ID 14415 [A health plan that operates as a health care clearinghouse, or requires an entity to use a health care clearinghouse to receive, process, or transmit a standard transaction may not charge fees or costs in excess of the fees or costs for normal telecommunications that the entity incurs when it directly transmits, or receives, a standard transaction to, or from, a health plan. § 162.925(a)(5)] | Operational management | Business Processes | |
| Refrain from rejecting standard transactions. CC ID 14406 [A health plan may not delay or reject a transaction, or attempt to adversely affect the other entity or the transaction, because the transaction is a standard transaction. § 162.925(a)(2)] | Operational management | Business Processes | |
| Refrain from rejecting transactions containing extra data. CC ID 14407 [{do not need} {not used} A health plan may not reject a standard transaction on the basis that it contains data elements not needed or used by the health plan (for example, coordination of benefits information). § 162.925(a)(3)] | Operational management | Business Processes | |
| Translate standard transactions, as necessary. CC ID 14405 [When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions: Receive a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) from the covered entity and translate it into a standard transaction for transmission on behalf of the covered entity. § 162.930 ¶ 1(b)] | Operational management | Business Processes | |
| Translate nonstandard transactions, as necessary. CC ID 14404 [When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions: Receive a standard transaction on behalf of the covered entity and translate it into a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) for transmission to the covered entity. § 162.930 ¶ 1(a)] | Operational management | Business Processes | |
| Process transactions, as necessary. CC ID 14403 [Code sets. A health plan must meet each of the following requirements: Accept and promptly process any standard transaction that contains codes that are valid, as provided in subpart J of this part. § 162.925(c)(1)] | Operational management | Business Processes | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Archive appropriate records, logs, and database tables. CC ID 06321 [Coordination of benefits. If a health plan receives a standard transaction and coordinates benefits with another health plan (or another payer), it must store the coordination of benefits data it needs to forward the standard transaction to the other health plan (or other payer). § 162.925(b)] | Records management | Records Management | |
| Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Establish/Maintain Documentation | |
| Include standards for each data element in the secure record transaction standard. CC ID 06094 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Validate transactions using identifiers and credentials. CC ID 13203 [A covered entity that is a covered health care provider must: Disclose its NPI, when requested, to any entity that needs the NPI to identify that covered health care provider in a standard transaction. § 162.410(a)(3) An organization covered health care provider that has as a member, employs, or contracts with, an individual health care provider who is not a covered entity and is a prescriber, must require such health care provider to— To the extent the prescriber writes a prescription while acting within the scope of the prescriber's relationship with the organization, disclose the NPI upon request to any entity that needs it to identify the prescriber in a standard transaction. § 162.410(b)(2)] | Records management | Technical Security | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [A covered entity may use a business associate, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following: Require any agent or subcontractor to comply with all applicable requirements of this part. § 162.923(c)(2)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |