The HHS published its first guidance under the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act. The HITECH Act amends the privacy and security provisions of HIPAA. This guidance provides key information to health care providers, health plans, health care clearinghouses and their business associates about the security of PHI.

HIPAA’s existing privacy and security regulations do not include a definition of unsecured PHI. The HITECH Act therefore required the secretary of HHS to issue guidance specifying the technologies and methodologies that render PHI “unusable, unreadable or indecipherable” to unauthorized persons. Securing PHI is important because secured PHI is not subject to the breach notification requirements of the HITECH Act.

The guidance describes two methodologies to secure PHI by making it unusable, unreadable or indecipherable to unauthorized persons: encryption and destruction. The guidance states that these methods may be used to secure data in four commonly recognized data states: data in motion (data in network); data at rest (data in database); data in use (data being created, retrieved, updated or deleted); and data disposed (discarded or recycled data).

Encryption for purposes of HIPAA means the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and such process or key has not been breached. The guidance identifies two encryption processes recognized by the National Institute of Standards and Technology (NIST) as rendering protected health information unusable, unreadable or indecipherable. For data at rest, the acceptable processes are those that are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Valid encryption processes for data in motion are those that comply with Federal Information Processing Standards 140-2. These standards are available at the NIST Web site.

To destroy paper or other hard copy data, the user must shred or destroy the paper in a manner that ensures the PHI cannot be read or reconstructed. Electronic media is considered destroyed if it is cleared, purged or destroyed and cannot be retrieved.

Covered entities and business associates must remember that rendering PHI unusable, unreadable or indecipherable to unauthorized individuals as defined in the guidance is not a substitute for compliance with HIPAA’s privacy and security regulations or other federal or state health information privacy and security laws.

Tags:

This entry was posted by Adam V. Russo on Thursday, April 23rd, 2009 at 7:56 am and is filed under HIPAA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.