On April 17, 2009, the U.S. Department of Health and Human Services (HHS) published its first guidance under the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act. The HITECH Act amends the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA). This new guidance provides key information to health care providers, health plans, health care clearinghouses and their business associates about the security of protected health information.

HITECH Act Breach Notification Provisions

Among other changes, the HITECH Act requires covered entities and business associates to notify individuals about unauthorized disclosures of "unsecured" protected health information. For more information about the breach notification provisions and other HIPAA changes in the HITECH Act, click here.

HIPAA's existing privacy and security regulations do not include a definition of unsecured protected health information. The HITECH Act therefore required the secretary of Health and Human Services to issue guidance specifying the technologies and methodologies that render protected health information "unusable, unreadable or indecipherable" to unauthorized persons. Securing protected health information as defined in the new guidance is important because secured protected health information is not subject to the breach notification requirements of the HITECH Act. Use of the specified methodologies provides the functional equivalent of a safe harbor that protects covered entities and business associates from having to give notice under the breach notification provisions.

Scope Of Guidance

The guidance describes two methodologies to secure protected health information by making it unusable, unreadable or indecipherable to unauthorized persons: encryption and destruction. The guidance states that these methods may be used to secure data in four commonly recognized data states: data in motion (such as data moving through a network); data at rest (data in a file or database); data in use (data being created, retrieved, updated or deleted); and data disposed (discarded or recycled data).

Encryption for purposes of HIPAA means the "use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key" and such process or key has not been breached. The guidance identifies two encryption processes recognized by the National Institute of Standards and Technology (NIST) as rendering protected health information unusable, unreadable or indecipherable. For data at rest, the acceptable processes are those that are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Valid encryption processes for data in motion are those that comply with Federal Information Processing Standards 140-2. These standards are available at the NIST Web site.

To destroy paper or other hard copy data, the user must shred or destroy the paper, film or other media in a manner that ensures the protected health information cannot be read or reconstructed. Electronic media is considered destroyed if it is cleared, purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, and cannot be retrieved.

At this time, encryption and destruction are the only two methods recognized by HHS to render protected health information unusable, unreadable or indecipherable unless and until further guidance is issued. Covered entities and business associates should remember that rendering protected health information unusable, unreadable or indecipherable to unauthorized individuals as defined in the guidance is not a substitute for compliance with HIPAA's privacy and security regulations or other federal or state health information privacy and security laws. The guidance is effective as of April 17, 2009, however notice of breaches need not be given until 30 days after HHS publishes interim final regulations. The regulations must be published by the middle of August 2009.

Request For Comments

The guidance requests public comments concerning several issues, including the following:

  • Additional methodologies and technologies to add to the list, including methods to protect the security of data in use
  • Whether limited data sets should be treated as unusable, unreadable or indecipherable to unauthorized persons
  • Whether there is potential for conflict between the HITECH Act and state breach notification laws
  • Whether covered entities or business associates expect to have to send multiple notices of a single breach because of existing laws
  • The circumstances in which the HITECH Act's exceptions to the definition of "breach" are expected to apply

The time frame for providing comments is short. Comments must be submitted by May 21, 2009. Persons interested in commenting on the guidance may do so at Regulations.gov or by using the other means described in the guidance. To access the guidance, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.