The Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), enacted on Feb. 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 ("ARRA"), requires covered entities to notify affected individuals, and requires business associates to notify the covered entities with whom they contract, of any breach of "unsecured protected health information" ("unsecured PHI"). In addition, the HITECH Act requires the Department of Health and Human Services ("HHS") to issue guidance specifying the technologies and methodologies that would render PHI unusable, unreadable, or indecipherable, (i.e., the technologies and methodologies that would secure the PHI). For a more detailed discussion of the HITECH Act's requirements, please view "American Recovery and Reinvestment Act of 2009 Strengthens Health Information Privacy and Security Laws."
On April 17, 2009, HHS issued guidance regarding the technologies and methodologies that will render PHI unusable, unreadable, or indecipherable. Significantly, while covered entities are not required to comply with the HHS guidance, if a covered entity implements the technologies and methodologies identified, it will not be subject to the HITECH Act's breach notification requirements in the event the security of the PHI is breached because the breach notification requirements apply only to unsecured PHI. According to HHS, the specified technologies and methodologies "create the functional equivalent of a safe harbor."1
In its guidance, HHS identifies two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized persons: encryption and destruction. For encryption, electronic PHI must be encrypted in accordance with the HIPAA Security Rule by "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning a meaning without use of a confidential process or key and such confidential process or key that might enable encryption has not been breached." Valid processes for encryption of stored PHI, according to the guidance, would be those consistent with NIST Special Publication ("SP") 800-111, Guide to Storage Encryption Technologies for End User Devices, including (but not limited to) full disk encryption, volume encryption, virtual disk encryption, and file/folder encryption. Valid processes for encrypting PHI during transmission would be those complying with the requirements in Federal Information Processing Standard ("FIPS") 140-2, including NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementations, 800-77, Guide to IPsec VPNs, or 800-113, Guide to SSL VPNs.
To comply with the destruction guidance, the media on which the PHI is stored or recorded must be destroyed in the following ways:
- Hard copy media (such as paper and film) must be shredded or destroyed in such a way that PHI cannot be read or otherwise reconstructed.
- Electronic media must be cleared, purged, or destroyed so that the PHI cannot be retrieved, consistent with the NIST SP800-88, Guidelines for Media Sanitization.
Significantly, HHS specifically states that the technologies and methodologies listed in this guidance are intended to be an exhaustive, and not simply illustrative, list of the ways to render PHI unusable, unreadable, or indecipherable. That said, by way of this guidance, HHS also is seeking comments on the potential for other technologies and methodologies to render PHI unusable, unreadable, or indecipherable. Specifically, HHS is seeking comments on the following:
- Whether there are particular electronic media configurations that may render PHI unusable, unreadable, or indecipherable, such as fingerprint-protected Universal Serial Bus (USB) drives, which are not covered by the current guidance.
- Whether there are additional methods that should be considered for rendering PHI (either in paper or electronic form) unusable, unreadable, or indecipherable.
- Whether there are circumstances under which the methods discussed above would fail to render information unusable, unreadable, or indecipherable to unauthorized individuals.
- Whether the risk of re-identification of a limited data set warrants its exclusion from the list of technologies and methodologies that render PHI unusable, unreadable, or indecipherable, and whether this risk could be alleviated.
- Whether there are any administrative or legal concerns regarding the ability to comply with the breach notification requirements in response to a breach of PHI in limited data set form.
- Whether future guidance should specify which off-the-shelf products, if any, meet the encryption standards identified in the guidance.
In the guidance, HHS also requests comments regarding the development of an interim final regulation for breach notification. Specifically, HHS seeks comments on the following:
- Based on complying with state breach notification laws, whether there are potential conflicts or other issues that should be considered when promulgating the federal breach notification requirements.
- Whether covered entities and business associates anticipate having to send multiple breach notices given current obligations under state law and/or whether there are circumstances under which the required federal notice also would not satisfy state breach notification laws.
- Whether there are any circumstances under which a covered entity or business associate still would be required to provide breach notification under state law if the information had been rendered secured based on federal requirements set forth in the guidance discussed above.
- The types of circumstances to which the HITECH Act's "breach" exceptions might apply.
All comments must be submitted on or before May 21, 2009.