Monday, April 20, 2009

HHS Issues Guidelines to Secure PHI

On April 17, HHS announced guidance on the technologies for securing protected health information (PHI). The technologies are used to render PHI "unusable, unreadable or indecipherable to unauthorized individuals." Properly used, these technologies also protect health care covered entities, business associates and vendors of PHR's from pending breach notification requirements.

It's all documented under this snappy title: Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information.

The guidance will apply to breaches occurring 30 days after the forthcoming release of the final regulations.

Encryption methods that are deemed acceptable include:
  • "Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
  • Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated."
Acceptable methods to destroy PHI include:
  • "Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
  • Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization,19 such that the PHI cannot be retrieved."
Comments on this guidance will be accepted through May 21.

No comments: