Back

Establish, implement, and maintain secure record transaction standards with third parties.


CONTROL ID
06093
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management policies., CC ID: 00903

This Control has the following implementation support Control(s):
  • Include transfer agreements in the secure record transaction standards., CC ID: 14821
  • Include standards for each data element in the secure record transaction standard., CC ID: 06094


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To ensure protection against unauthorized use, transfer and discarding of important printed forms should be implemented by specifically designated personnel based on the predetermined procedures, and the progress of transfer and discarding should be accessible by the personnel responsible for manage… (P68.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • ¶ 17: The organization must notify the DSO or MOD DE&S DHSY/PSYA at the earliest possible time any intention to transfer protectively marked work from one List X site to another one or to close a List X contractor's organization. This is required to make proper arrangements to dispose of the assets… (¶ 17, ¶ 50.c, ¶ 53, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • The accountability for the records is a key element in the transfer of ownership of records. (§ 4.3.9.4 ¶ 3, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The hardware compatibility and software compatibility needs to be considered when transferring electronic records. (§ 4.3.9.4 ¶ 4(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The metadata needs to be considered when transferring electronic records. (§ 4.3.9.4 ¶ 4(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The data documentation needs to be considered when transferring electronic records. (§ 4.3.9.4 ¶ 4(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The licensing agreements should be considered when transferring electronic records. (§ 4.3.9.4 ¶ 4(d), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The standards need to be considered when transferring electronic records. (§ 4.3.9.4 ¶ 4(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The system procedures provide that confidential information is disclosed to third parties in accordance with the entity's confidentiality and related security policies. (Confidentiality Prin. and Criteria Table § 3.5, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • When web services are furnished, are transaction details stored in the Demilitarized Zone? (§ G.21.1.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services, is scoped data encrypted when it is stored by third party vendors? (§ V.1.11.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • When business partners transmit Federal Tax Information (FTI) from a mainframe to another computer, only the following information needs to be identified: the transaction date; the bulk records being transmitted; the name of the person making or receiving the transmission; and the approximate number… (CSR 1.3.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • DISTRIBUTION.—The Secretary shall establish efficient and low-cost procedures for distribution (including electronic distribution) of code sets and modifications made to such code sets under section 1174(b). (§ 1173(c)(2), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • IN GENERAL.—The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for— (§ 1173(a)(1), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs. (§ 1173(a)(1)(B), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • The Records Management Application shall copy the metadata for records and their folders to a user-specified filename, path, or device, for records that have been approved for accession and are not stored in a supported repository. (§ C2.2.6.5.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Transaction-based systems must implement transaction journaling and transaction rollback. (ECDC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Receive transition of care/referral summaries through a method that conforms to the standard specified in §170.202(d) from a service that has implemented the standard specified in §170.202(a)(2). (§ 170.315 (b) (1) (i) (B), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Send transition of care/referral summaries through a method that conforms to the standard specified in §170.202(d) and that leads to such summaries being processed by a service that has implemented the standard specified in §170.202(a)(2); and (§ 170.315 (b) (1) (i) (A), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Request and respond to transfer one or more prescriptions between pharmacies (RxTransferRequest, RxTransferResponse, RxTransferConfirm). (§ 170.315 (b) (3) (ii) (B) (6), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Secure messaging. Enable a user to send messages to, and receive messages from, a patient in a secure manner. (§ 170.315 (e) (2), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Email transmission to any email address; and (§ 170.315 (e) (1) (i) (C) (1) (i), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • An encrypted method of electronic transmission. (§ 170.315 (e) (1) (i) (C) (1) (ii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Based on a matched trigger from paragraph (f)(5)(ii). (§ 170.315 (f) (5) (iii) (A), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • The standard (and applicable implementation specifications) specified in §170.205(g). (§ 170.315 (f) (3) (i), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • At a minimum, the versions of the standards specified in § 170.207(a)(1) and (c)(1). (§ 170.315 (f) (3) (ii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Respond to requests for multiple patients' data as a group according to the standards and implementation specifications adopted in § 170.215(a), (b)(1), and (d), for each of the data included in the standards adopted in § 170.213. All data elements indicated as ''mandatory'' and ''must support'' b… (§ 170.315 (g) (10) (i) (B), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Respond to search requests for a single patient's data consistent with the search criteria included in the implementation specifications adopted in § 170.215(b)(1), specifically the mandatory capabilities described in ''US Core Server CapabilityStatement.'' (§ 170.315 (g) (10) (ii) (A), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Respond to search requests for multiple patients' data consistent with the search criteria included in the implementation specification adopted in § 170.215(d). (§ 170.315 (g) (10) (ii) (B), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Receive transition of care/referral summaries through a method that conforms to the standard specified in §170.202(d) from a service that has implemented the standard specified in §170.202(a)(2). (§ 170.315 (b) (1) (i) (B), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Send transition of care/referral summaries through a method that conforms to the standard specified in §170.202(d) and that leads to such summaries being processed by a service that has implemented the standard specified in §170.202(a)(2); and (§ 170.315 (b) (1) (i) (A), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Request and respond to transfer one or more prescriptions between pharmacies (RxTransferRequest, RxTransferResponse, RxTransferConfirm). (§ 170.315 (b) (3) (ii) (B) (6), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Secure messaging. Enable a user to send messages to, and receive messages from, a patient in a secure manner. (§ 170.315 (e) (2), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Email transmission to any email address; and (§ 170.315 (e) (1) (i) (C) (1) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • An encrypted method of electronic transmission. (§ 170.315 (e) (1) (i) (C) (1) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • At a minimum, the versions of the standards specified in §170.207(a)(3) and (c)(2). (§ 170.315 (f) (3) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Based on a matched trigger from paragraph (f)(5)(ii). (§ 170.315 (f) (5) (iii) (A), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The standard (and applicable implementation specifications) specified in §170.205(g). (§ 170.315 (f) (3) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Respond to search requests for multiple patients' data consistent with the search criteria included in the implementation specification adopted in §170.215(a)(4). (§ 170.315 (g) (10) (ii) (B), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Respond to search requests for a single patient's data consistent with the search criteria included in the implementation specification adopted in §170.215(a)(2), specifically the mandatory capabilities described in "US Core Server CapabilityStatement." (§ 170.315 (g) (10) (ii) (A), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Respond to requests for multiple patients' data as a group according to the standard adopted in §170.215(a)(1), and implementation specifications adopted in §170.215(a)(2) and (4), for each of the data included in the standard adopted in §170.213. All data elements indicated as "mandatory" and "m… (§ 170.315 (g) (10) (i) (B), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • A Federal Bureau of Investigation originating agency identifier shall be used for each transaction on a criminal justice information services system to identify the sending agency and ensure the proper level of access. (§ 5.6.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Audit trails can be used to identify the requesting agency if there is a reason to inquire into the details surrounding why an agency ran an inquiry on a subject. Agencies assigned a P (limited access) ORI shall not use the full access ORI of another agency to conduct an inquiry transaction. (§ 5.6.1.1 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The institution manages check return items effectively and whether there are significant numbers of return items. (App A Tier 2 Objectives and Procedures M.1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Reject items are properly segregated from other work. (App A Tier 2 Objectives and Procedures M.1 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Procedures to qualify returns of substitute checks. (App A Tier 2 Objectives and Procedures M.2 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • A separate limit for WEB entries and other high-risk ACH transactions, as warranted, has been established. (App A Tier 2 Objectives and Procedures H.3 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Customer activity and/or transaction parameters and limits, including expected/allowable unauthorized return levels; (App A Tier 2 Objectives and Procedures M.4 Bullet 1 Sub-Bullet 4, Sub-Sub Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The effectiveness of the financial institution's ECP implementation, including logical access controls over electronic files storing MICR and related information. (App A Tier 1 Objectives and Procedures Objective 10:3 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether the institution has a process in place for monitoring and acting on returned items, that includes third-party vendors, where applicable.. (App A Tier 1 Objectives and Procedures Objective 8:12, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)