Thanks to HHS, we now know what "unsecured protected health information" means. So where do we go from here?
If you're leading an organization that handles protected health information (PHI), you may be asking that question today.
As HealthLeaders Media reported Tuesday, HHS issued a proposal for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure PHI and prevent a breach.
The guidance includes the technologies and methods specified by the secretary of HHS that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals."
In other words, if the data does not include these methods and technologies, it could be considered "unsecured PHI."
Time to go out and buy the latest encryption software, right? Not quite.
With its draft guidance, HHS really did no more than point to the NIST standards of data encryption, endorsed by the government regulators long before the release of the draft guidance last week, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR.
To that end, see if your organization is already in compliance and using government-approved and offered encryption methods for information flowing out of your network.
Further, covered entities and business associates are not required to follow the guidance. HHS says in the guidance it merely creates a "safe harbor" and protects covered entities and business associates from notification requirements when a security breach occurs.
After a public comment period, which ends May 21, the final guidance will be released by August 17, according to the ARRA.
And there will be comments, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
"I think there are going to be changes as far as the way to secure PHI," Herold says. "They provided basically two methods (encryption and destruction), which are both important and good. But I think there may need to be additional methods that go beyond those two."
Here's what else you can take away from the HHS draft guidance:
Consider destruction as well as encryption. "It is important to render disposed PHI, in all forms, irreversibly destroyed as well," Herold says. "The statement, ‘Note that the technologies and methodologies referenced … are intended to be exhaustive and not merely illustrative' is interesting; this makes it important for all information security and privacy folks who see gaps with these methods to submit feedback and comments during this review period."
Covered entities and their business associates must understand that these requirements apply not only to electronic PHI, but also to PHI in other forms, such as paper.
Look for further specifications of encryption. As Apgar points out, HHS did not specify the level of encryption to make data secure. "As an example, if data is encrypted using 128 bit encryption, it is not necessarily ‘unsecured' given 128 bit encryption has been broken."
Consult with your IT specialists. Several of the documents recommended by HHS are "very technical in their contents describing various aspects of information systems to include their architecture and on how data are stored, organized, and transferred within an information system," says Frank Ruelas, MBA, the creator of www.hipaabootcamp.com who is based out of Scottsdale, AZ.
What are the legal implications of the guidance? If the guidance were to be final today, how would covered entities and business associates be legally bound? After all, no one is forced to follow it; HHS merely calls it the "functional equivalent of a safe harbor"–which reminds John R. Christiansen, of Seattle's Christiansen IT Law, of the European Union data protection or anti-kickback safe harbors. "The most important implication of this is that following the guidance should protect against civil penalty actions by HHS, which published the guidance and therefore is bound by it," he says. "The fact that it is not 100% binding on the courts probably shouldn't matter."
So where do you go from here? Backward to look at your encryption methods. And forward to consider commenting on the HHS draft guidance.