Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

Electronic Code of Federal Regulations

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We have made big changes to make the eCFR easier to use. Be sure to leave feedback using the Feedback button on the bottom right of each page!

e-CFR data is current as of January 19, 2021

Title 45Subtitle ASubchapter DPart 171Subpart B → §171.203


Title 45: Public Welfare
PART 171—INFORMATION BLOCKING
Subpart B—Exceptions That Involve Not Fulfilling Requests to Access, Exchange, or Use Electronic Health Information


§171.203   Security exception—When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information not be considered information blocking?

An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information will not be considered information blocking when the practice meets the conditions in paragraphs (a), (b), and (c) of this section, and in addition meets either the condition in paragraph (d) of this section or the condition in paragraph (e) of this section.

(a) The practice must be directly related to safeguarding the confidentiality, integrity, and availability of electronic health information.

(b) The practice must be tailored to the specific security risk being addressed.

(c) The practice must be implemented in a consistent and non-discriminatory manner.

(d) If the practice implements an organizational security policy, the policy must—

(1) Be in writing;

(2) Have been prepared on the basis of, and be directly responsive to, security risks identified and assessed by or on behalf of the actor;

(3) Align with one or more applicable consensus-based standards or best practice guidance; and

(4) Provide objective timeframes and other parameters for identifying, responding to, and addressing security incidents.

(e) If the practice does not implement an organizational security policy, the actor must have made a determination in each case, based on the particularized facts and circumstances, that:

(1) The practice is necessary to mitigate the security risk to electronic health information; and

(2) There are no reasonable and appropriate alternatives to the practice that address the security risk that are less likely to interfere with access, exchange or use of electronic health information.

[85 FR 25955, May 1, 2020, as amended at 85 FR 70085, Nov. 4, 2020]

Need assistance?