How To Avoid The HIPAA (HITECH) Security Breach Notification Requirement: DHHS Issues (Timely!) Guidance On Methodologies To “Secure” Protected Health Information
Health Law Update 04/21/09 Sarah E. Coyne, Kerry L. Moskol
The Department of Health and Human Services ("DHHS") has met the ambitious timeframe set forth in HITECH to issue specific guidance on how to render Protected Health Information ("PHI") "secure." The importance of this guidance is that breaches of unsecured PHI are subject to rather onerous notification requirements, which left an open question about how to "secure" the information. On April 17, 2009, DHHS issued the following document in an apparent attempt to win the contest for the Longest Name Ever Given to a Guidance Document: "Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of Breach Notification Requirements Under Section 13402 of the . . . Health Information Technology for Economic and Clinical Health Act ("HITECH") of the American Recover and Reinvestment Act of 2009 ("ARRA")." Much to our readers' certain disappointment, we will be characterizing this document throughout as "the Guidance." This link is available here.
Question: So what are we talking about this time?
Answer: How to avoid the new breach notification requirement by securing your PHI, using standards acceptable to the government.
This Guidance relates to the breach notification requirement associated with unsecured protected health information.
The breach notification requirement triggers if there is a breach of unsecured protected health information to unauthorized individuals; if the PHI is secured, there is no such requirement. Disclosures to authorized individuals also fall within the exceptions to the notification requirement. "Breach" is carefully defined in HITECH.
As you will all recall from reading (and re-reading, we are sure) our original client update on the HITECH changes to the privacy and security rules under HIPAA (available here), HITECH required DHHS to issue interim final regulations within 180 days of enactment, requiring covered entities and their business associates to provide for notification in the case of breaches of unsecured PHI. HITECH provided a default definition for unsecured PHI in the event that HHS did not act by April 17, 2009 to provide the definition and guidance. HHS did, in fact, issue a definition within that time frame, in the form of the Guidance we write about here.
The default definition of unsecured PHI that would have become law, absent this Guidance, was "protected health information that is not secured by a technology standard that renders protected health information usable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute ("ANSI")." The Guidance replaces that definition by clarifying that PHI may be secured through encryption or destruction.
Question: To whom does the breach notification requirement apply, for unsecured PHI?
Answer: To HIPAA-covered entities and business associates that access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose unsecured PHI.
Question: Are de-identified records outside the scope of the breach notification requirement?
DHHS notes that this Guidance is irrelevant to de-identified information because it is no longer PHI.
Question: Are paper records outside the scope of the breach notification requirement?
Paper records (and other hard media such as disks) are covered by the rules. Paper (or other hard media) PHI may be secured through destruction, as defined further below.
Question: If we comply with this Guidance, are we home free?
Answer: Not completely.
The Guidance repeatedly reminds the regulated entities that the rest of the HIPAA rules (privacy and security) still apply. That said, DHHS characterizes this guidance as the "functional equivalent of a safe harbor."
Question: Can data at rest trigger the breach notification, or need we only worry about data in motion?
Answer: We need to worry about data at rest too.
DHHS makes the distinction between "data in motion" (i.e., through a network such as wireless transmission) and "data at rest" (i.e., data that resides in databases, file systems and other structured storage systems). DHHS notes that the methods for rendering both types of PHI unusable, unreadable or indecipherable to unauthorized individuals apply to both data in motion and data at rest.
Question: What are the two general methodologies specified for securing PHI?
Answer: PHI is secured if encrypted or destroyed.
DHHS notes that other methods may also suffice, but this Guidance identifies only these two methods, with some specific guidance attached to each. Presumably DHHS will update the Guidance with any additional methods that are deemed acceptable.
Question: How do we encrypt electronic PHI?
Answer: Follow the NIST memoranda.
Electronic PHI is considered "encrypted," as specified in the HIPAA security rule, by "'the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key' and such confidential process or key that might enable decryption has not been breached." (Note to the usual privacy/ security crowd: This answer gets extremely technical and boring at this point.)
With regard to Data At Rest: Valid encryption processes are consistent with the National Institute of Standards and Technology (NIST) Publication No. 800-111, entitled "Guide to Storage Encryption Technologies for End User Devices." It is available here.
With regard to Data In Motion: Valid encryption processes are those that comply with the requirements of Federal Information Processing Standards ("FIPS") 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for Selection and Use of Transport Layer Security ("TLS") Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs; and may include others that are FIPS 140-2 validated.
Here are relevant links:
FIPS 140-2: available at http://csrc.nist.gov/publications/PubsTC.html
Question: How do we destroy paper and other hard copy media containing PHI?
Answer: Shred paper, and follow the NIST memorandum for other hard copy media.
Paper, film or other hard copy media containing PHI may be secured by destroying them. That means shredding or otherwise destroying them such that the PHI cannot be read or otherwise reconstructed.
Electronic media is secure if cleared, purged or destroyed, consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization.
Question: What are the open points about which DHHS seeks comment?
Answer: Methods of securing PHI, the Guidance generally, and breach notification generally.
DHHS asks a number of questions about the Guidance, generally seeking feedback on additional security parameters for both electronic and paper PHI. DHHS also asks for comment on the functionality of the methods identified and about the risk of re-identification if limited data sets are considered secure. The Guidance also asks whether future guidance should specify which off-the-shelf products, if any, meet the specified encryption standards.
DHHS also invites comment generally on the breach notification provisions of HITECH.
Question: How and when may our readers comment on this Guidance?
Answer: By May 21, 2009, by any of the methods specified in the Guidance.
* * *
For more details on this Guidance or any health care topic, or if you have any questions, please contact Sarah Coyne at (608) 283-2435 / firstname.lastname@example.org, Kerry Moskol at (608) 283-2609 / email@example.com or your Quarles and Brady attorney.