This rule is part of the Heal Insurance Portability and Privacy act. Specifically, it governs IT standards for how organizations handle Electronic Protected Health Information (EPHI) and details administrative, technical and physical safeguards. Covered organizations that do not have an expert on staff typically have to hire an outside consultant to navigate the complexities.

Penalties – Civil: up to $100 per incident. Criminal: Fines up to $250,000 and 10 years in prison.

Relevant scGRC.com Tools: Compliance Assessment, IT Risk Assessment, IT Audit Generator