45 C.F.R. § 171.203

Security exception—When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information not be considered information blocking?

Read at: eCFRecfr.gov CornellLII GovInfogovinfo.gov CasesGoogle Scholar

An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information will not be considered information blocking when the practice meets the conditions in paragraphs (a), (b), and (c) of this section, and in addition meets either the condition in paragraph (d) of this section or the condition in paragraph (e) of this section.

(a) The practice must be directly related to safeguarding the confidentiality, integrity, and availability of electronic health information.

(b) The practice must be tailored to the specific security risk being addressed.

(c) The practice must be implemented in a consistent and non-discriminatory manner.

(d) If the practice implements an organizational security policy, the policy must—

(1) Be in writing;

(2) Have been prepared on the basis of, and be directly responsive to, security risks identified and assessed by or on behalf of the actor;

(3) Align with one or more applicable consensus-based standards or best practice guidance; and

(4) Provide objective timeframes and other parameters for identifying, responding to, and addressing security incidents.

(e) If the practice does not implement an organizational security policy, the actor must have made a determination in each case, based on the particularized facts and circumstances, that:

(1) The practice is necessary to mitigate the security risk to electronic health information; and

(2) There are no reasonable and appropriate alternatives to the practice that address the security risk that are less likely to interfere with access, exchange or use of electronic health information.

[85 FR 25955, May 1, 2020, as amended at 85 FR 70085, Nov. 4, 2020]
Notes of Decisions
Cited in 1 case (1 in the last 5 years), 2024–2024 · leading case: Real Time Med. Sys., Inc. v. PointClickCare Tech., Inc. (D. Maryland 2024).
Real Time Med. Sys., Inc. v. PointClickCare Tech., Inc. (D. Maryland 2024). “PCC alternatively argues that its CAPTCHA use meets the security exception set forth in 45 C.F.R. § 171.203 . ECF No. 62 at 256-57.”
Annotations are extracted automatically from the opinions in the Syfert caselaw corpus and ranked by authority, recency, and treatment. Dots show Syfertize treatment of the citing case itself.