§164.308(a)(4)(ii)(A): If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
Audit Inquiry
If the entity is a health care clearinghouse that is part of a larger organization, does the clearinghouse have policies and procedures to protect ePHI from unauthorized access by the larger organization?
Does the clearinghouse protect ePHI from unauthorized access by the larger organization?
Obtain and review policies and procedures related to protecting ePHI held by a health care clearinghouse from unauthorized access by the larger organization. Evaluate and determine whether reasonable and appropriate administrative, physical, and technical safeguards are in place to protect against unauthorized access by the larger organization.