Procedural Notes

[Carlee Members]

Thisis a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. Because it is an overview of the Security Rule, it does not address every detail of each provision.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.

Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

A major goal of the Security Rule is to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity's particular size, organizational structure, and risks to consumers' e-PHI.

This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. To make it easier to review the complete requirements of the Security Rule, provisions of the Rule referenced in this summary are cited in the end notes. Visit our Security Rule section to view the entire Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between this summary and the Rule, the Rule governs.

HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.

The Security Rule defines "confidentiality" to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, "integrity" means that e-PHI is not altered or destroyed in an unauthorized manner. "Availability" means that e-PHI is accessible and usable on demand by an authorized person.5

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity's business, as well as the covered entity's size and resources.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14

The Knowledge Base materials on this page have not yet been updated to reflect changes to our Handbook and the adoption of UK versions of relevant EU legislation (such as the Prospectus Regulation and the Market Abuse Regulation) which came into effect at the end of the Brexit transition period on 31 December 2020.

Pending these updates, we expect firms and other market participants to sensibly and purposefully interpret references to EU or EU-derived law in light of the provisions of the European Union (Withdrawal) Act 2018 and any changes to the underlying provision as it is preserved or converted into UK law.

For more information, see our approach to non-Handbook guidance where it relates to EU law or EU-derived law, and our pages about equivalence of non-UK regimes and shareholding notification and disclosure for information relating to changes to the Disclosure Guidance and Transparency Rules as a result of EU withdrawal.

We are also continuing to update our Knowledge Base to reflect the changes to the regime made by the EU Prospectus Regulation, which came into full effect from 21 July 2019. We're doing this in stages as we need to update around a third of the 93 current technical and procedural notes.

Pending completion of these updates, please apply the guidance in the technical notes and procedural notes below to prospectuses and other listing documents (as applicable), to the extent that the guidance in the notes remains compatible with the Prospectus Regulation.

The commission or nomination of the Instructor, Defender of the Bond and Notary is to be given in writing, signed by the diocesan Bishop, dated and notarized. It may be given on a permanent basis or case by case. Since it marks the initiation of the process at the diocesan level, the commission is to be established before any testimony is received or research takes place.

The votum of the Bishop is likewise to be signed by the diocesan Bishop. This document, given on his pastoral authority, is to set forth his opinion of the case and the reasons which recommend it. Precise reference is to be made whether the conditions for granting this favour have been met, along with any positive doubt which may have arisen about the validity of the marriage (cf. artt. 10, 24). The Bishop should always give clear indications about the present condition of the parties and whether the petitioner has attempted a new marriage in any form or may be cohabiting with the third party (artt. 1, 4-5, 24). Fear of scandal arising from the concession of the favour, or any doubt about the sincerity of conversion of the petitioner or intended spouse, or any particular difficulties regarding the manner in which the petitioner is fulfilling obligations arising from the former marriage should be settled before the case is submitted (cf. artt. 7 3, 9, 20).

Where applicable, certificates of baptism or profession of faith or both are to be included in the process with regard to the petitioner and/or the interested party (art. 22 2). Baptismal certificates should also be provided in the case of any children born to the first marriage who are still minors. A copy of the pre-nuptial investigation and dispensation D.C. (in the case of a Catholic marriage), the marriage certificate and a copy of the civil divorce decree or sentence of civil nullity for the marriage presented for dissolution are also to be included.

Certificates of divorce or sentences of civil nullity, along with the dispositive part of the canonical sentence of nullity, must be included for each marriage attempted either by the petitioner or the interested party (art. 19). In the case of marriages attempted outside the canonical form, even though the documentary process is not employed, an administrative declaration of the nullity issued by competent authority must always be included for any union of this kind.

Both spouses are to be heard as part of the instruction. If the former spouse is absent from the process, this must be declared ad normam iuris (artt. 12, 15 2). This means that the Instructor is to contact the other party in a way that may ensure their co-operation, inviting them to give testimony. If the other party has neither appeared nor given a reason for being absent, the Instructor is then to place a document in the acts which notes this fact and explains the situation. Before doing so, however, the Instructor should be certain that some form of notification has indeed reached the other party (cf. can. 1592).

The third party is always to be included among the witnesses. Although not normally qualified to comment on the baptismal status of the parties to the former marriage, the third party can testify about any obligations the petitioner may have with regard to the former marriage, about the causes for its breakdown and about his own religious practice as well as that of the petitioner.

The Norms indicate that the matters asserted in the case must be proven according to the norms of law (art. 12 1), that the record of each testimony is to be signed by the witness, the Instructor and the Notary, and that mention is to be made whether the oath was taken or excused or refused (cf. artt. 14, 15).

In the case that a witness may be far away or for some other reason cannot or will not come to the office of the Instructor, they may be heard in another place by a Notary or in any other legitimate manner (art. 15; cf. can. 1528).

Depositions and testimonies by letter or telephone are open to abuse and have a very uncertain probative value. In the first place, there is no guarantee of the identity of the person who composes written responses or of the person who answers a telephone. Responses given by letter are often vague or imprecise. They provide no opportunity to ask for clarifications or support for a particular answer and the danger is always present that they may have been dictated by another person. If some exceptional circumstance seems to justify this type of interrogation, statements of this kind should at least be taken to a notary or legitimated in some way to ensure their genuineness and authenticity and to ensure that such witnesses take seriously the evidence they have given.

3a8082e126