HHS issued a proposal for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure protected health information (PHI) and prevent a breach.
The guidance released Friday includes the technologies and methods specified by the Secretary of HHS that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals." The American Recovery and Reinvestment Act of 2009 (ARRA) required the draft guidance by Saturday, April 18, according to an HHS press release.
Covered entities and business associates are not required to follow the guidance. However, if they do, it creates a "safe harbor" and protects them from the notification requirements when a security breach occurs, according to the new HHS report.
Though not final yet, covered entities and business associates should pay close attention to the guidance because it will help determine whether their facility had a breach of patient privacy.
Title XIII of the ARRA—the Health Information Technology for Clinical and Economic Health (HITECH) Act—describes greater notification requirements for breaches of "unsecured PHI," or PHI that is not secured through technologies and methodologies specified by the Secretary.
The report released Friday includes those specifications. After a public comment period, which ends May 21, the final guidance will be released by August 17, according to the ARRA.
Wait to make your move
"Keep in mind, this is a new federal requirement which overlaps with security breach notification laws already on the books in almost every state, and personal information disposal laws on the books in many states," says John R. Christiansen, of Christiansen IT Law, in Seattle. " . . . We're going to have to analyze state laws specifically to figure out if there are places where the state law is stronger. It probably isn't worth doing a definitive analysis until the final guidance comes out."
In general, HHS specifies two methods for protecting data: encryption (for information flowing out of a network) and destruction (for paper and electronic records).
John C. Parmigiani, president of John C. Parmigiani & Associates, LLC , in Ellicott, MD, says in effect the guidance mirrors what many state laws already say.
HHS defines acceptable encryption as:
HHS defines acceptable destruction as:
The final regulations will be published in the Federal Register within 180 days of the signing of the ARRA, or by August, 17, 2009.
Overall, providers who already encrypt their data are in good shape, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
"Use what's already out there and government-approved," Borten suggests.
According to Christiansen, covered entities and business associates should read this guidance and check their state's security breach notification laws.
"HITECH works like HIPAA when one of its provisions and a state law both apply: The one that is more protective trumps the other," Christiansen says. "My feeling is that the HITECH provision plus this guidance is probably more stringent than almost all state laws. I haven't yet tried to analyze it against California, which has the strongest law in this area—but generally I expect HITECH will apply."
Editor's note: To learn more about HIT initiatives, view the American Recovery and Reinvestment Act of 2009.