On April 17, 2009, the Department of Health and Human Services (HHS) published guidance regarding the meaning of “secured” protected health information (PHI) and requested input on issues related to the forthcoming notice of breach regulations.

Secured PHI

The HITECH Act provides new requirements for covered entities and business associates to make various notifications of breaches of unsecured PHI. (A previously issued Bulletin discusses the HITECH Act in detail.) The HITECH Act defines “secured” PHI as PHI that is unusable, unreadable, or indecipherable to unauthorized individuals. HHS was instructed to issue guidance to specify the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

In the new guidance, HHS states that there are only two methods for making PHI secured: encryption and destruction.

  • Encryption. The guidance provides that for electronic PHI to be encrypted it must be encrypted by the use of “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and such confidential process or key that might enable decryption has not been breached. Two specific methods are identified as meeting this standard:
  1. For stored PHI (termed “data at rest” in the guidance), valid encryption processes are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
  2. For transmitted PHI (termed “data in motion” in the guidance), valid encryption processes are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2, including, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
  • Destruction. The guidance provides that destruction of PHI in the following manner will render it secured:
  1. Paper, film, or other hard copy media that has been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
  2. Electronic media that has been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

The guidance states that HHS considered including PHI that is in a limited data set to be within the meaning of ”secured.” However, HHS has not at this time done so. HHS expressly requested input from the industry this issue. HHS also solicited comments to the following questions:

  1. Are there particular electronic media configurations that may render PHI unusable, unreadable, or indecipherable to unauthorized individuals, such as a fingerprint protected Universal Serial Bus (USB) drive, which are not sufficiently covered by the above and to which guidance should be specifically addressed?
  2. With respect to paper PHI, are there additional methods [HHS] should consider for rendering the information unusable, unreadable, or indecipherable to unauthorized individuals?
  3. Are there other methods generally [HHS] should consider for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals?
  4. Are there circumstances under which the methods discussed above would fail to render information unusable, unreadable, or indecipherable to unauthorized individuals?
  5. Does the risk of re-identification of a limited data set warrant its exclusion from the list of technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals? Can risk of re-identification be alleviated such that the creation of a limited data set could be added to this guidance?
  6. In the event of a breach of protected health information in limited data set form, are there any administrative or legal concerns about the ability to comply with the breach notification requirements?
  7. Should future guidance specify which off-the-shelf products, if any, meet the encryption standards identified in this guidance?

Comments Requested on Notice of Breach Issues

The HITECH Act requires HHS to issue regulations on the notice of breach requirements within 180 days of February 17, 2009. In the same publication containing the guidance on secured PHI, HHS announced that it was soliciting comments regarding the development of these regulations and is particularly interested in the following issues:

  1. Based on experience in complying with state breach notification laws, are there any potential areas of conflict or other issues [HHS] should consider in promulgating the federal breach notification requirements?
  2. Given current obligations under state breach notification laws, do covered entities or business associates anticipate having to send multiple notices to an individual upon discovery of a single breach? Are there circumstances in which the required federal notice would not also satisfy any notice obligations under the state law?
  3. Considering the methodologies discussed in the guidance, are there any circumstances in which a covered entity or business associate would still be required to notify individuals under state laws of a breach of information that has been rendered secured based on federal requirements?
  4. The Act’s definition of “breach” provides for a variety of exceptions. To what particular types of circumstances do entities anticipate these exceptions applying?

The notice of breach requirements in the HITECH Act will become effective 30 days after the regulations are published.

Methods for communicating comments to HHS can be found in the guidance. Comments on either topic must be received by HHS by May 21, 2009.