1) Control Matrix: A listing of the risk and 1 or more countermeasure to address the risk. (25 points) 2) A Section that identifies the necessary components of the policy and why they are important?

THE HIPAA PRIVACY RULE'S RIGHT OF ACCESS AND HEALTH INFORMATION TECHNOLOGY BACKGROUND AND INTRODUCTION Since its inception, the HIPAA Privacy Rule's right of an individual to access protected health information (PHI) about him or her held by a covered entity has operated in a primarily paper- based environment. While it has been common for covered entities to create, maintain, and exchange PHI in paper form, an increasing number of covered entities are beginning to utilize new forms of health information technology (health IT), which often involve the transition of PHI from paper to electronic form. Many health care providers, for example, are adopting comprehensive electronic health records (EHRS) to enhance the quality and efficiency of care they deliver. Health IT also may create mechanisms by which individuals can electronically request access to their PHI and by which covered entities can respond by providing or denying access electronically. An individual's right to access his or her PHI is a critical aspect of the Privacy Rule, the application of which naturally extends to an electronic environment. The Privacy Rule establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their PHI, to the extent it is maintained in the designated record set(s) of a covered entity. The Privacy Rule's specific, yet flexible, standards also address individuals' requests for access and timely action by the covered entity, including the provision of access, denial of access, and documentation. See 45 C.F.R. 164.524. Health IT has the potential to facilitate the Privacy Rule's right of access from both an individual's and a covered entity's perspective. Because the right of access operates regardless of the format of the PHI, its application in an electronic environment is similar to that in a paper-based environment. Several provisions, however, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, may apply slightly differently and, thus, require additional consideration. The discussion that follows addresses an individual's right to request access electronically, a covered entity's electronic provision or denial of access and other specific applications of the Privacy Rule that will assist covered entities in tailoring their compliance appropriately.