Technology
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Industry May Have to Wait for Unsecured PHI Definition

Dom Nicastro, April 17, 2009

If you've got a spare minute, call up the American Recovery and Reinvestment Act of 2009 and search for "unsecured protected health information."

We know you have plenty of spare time as you lead your hospital through an economic recession where the uninsured knock on your door and the insured don't answer the door when you come knocking for payment.

In your search, you will find 13 references, all under the Health Information Technology for Clinical and Economic Health (HITECH) Act, or Title XIII. Each one affects your HIPAA Security Rule compliance program in light of the new laws.

The problem?

No one knows what that means, exactly—at least not at this moment.

Congress gave the Department of Health & Human Services (HHS) 60 days from the February 17 signing of the Act–or Friday, April 17–to define "unsecured protected health information." So far, there has not been an announcement. If no definition is released, it goes to a default–one that includes all protected health information that is not secured by an encryption standard endorsed by the National Institute of Standards and Technology (NIST).

So how do you prepare now without that key definition? After all, the HITECH Act calls for strict notification requirements, all of which hinge upon breaches of "unsecured protected health information." The new requirements include:

  • Notification of all individuals whose unsecured PHI may have been disclosed or accessed
  • 60-day window to notify those patients
  • Requirement to explain why you had to use the full 60 days to notify
  • Notification of prominent media outlets when breaches of unsecured PHI include 500 patient records or more
  • Immediate notification of the secretary of HHS on breaches of at least 500 patients

So, you can kind of see why this definition is important. Or is it? Should you be watching ever so closely for a definition?

"Don't hold your breath," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

Borten thinks the definition will matter, but she does not see it including any earth-shattering content that strays too far from what's already out there.

For instance, the Security Rule of 2003 already establishes encryption as a necessity for PHI flowing over the Internet and open networks. That encryption mandate goes back to the 1998 proposed Security Rule, Borten says. And the Healthcare Financing Administration came out with an Internet Security Policy in 1998.

"We've known we need to encrypt confidential data over the Internet for over a decade," Borten says.

Further, when you've got a federal department with no permanent leader–President Barack Obama nominated Kathleen Sebelius as the new secretary of HHS, but she has not been confirmed–how much can you do anyway?

Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says organizations have come a long way encrypting data already.

"We've come so far along making sure we've got under the Security Act everything protected, encrypted, and how to have a secure firewall, a hacker-proofed system and all of that," she says.

Organizations that have encrypted data are in good shape.

However, as Johnnie Cochrane might say, if you don't encrypt, you must equip. Look for any potential unsecured PHI and evaluate the need for encryption.

And you should already be using resources provided in NIST's Computer Security Resource Center.

"It's free," Borten says. "We pay for it with our tax dollars. The resource is fabulous."

For the record, the general default definition of unsecured PHI in the HITECH Act is: "Protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute."

When can they change the default definition? That's unclear now. Ultimately, things may not change a whole lot.

"As long as you're buying products that use known algorithms, you really should be fine," Borten says. "I don't think HHS or Congress expect organizations to throw out what they've done so far."


Dom Nicastro is a senior managing editor at HCPro, Inc. in Marblehead, MA. He edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. E-mail him at dnicastro@hcpro.com.

Comments are moderated. Please be patient.