The Health Information Technology for Economic and Clinical Health Act (HITECH) introduced a number of significant amendments to HIPAA's privacy and security rules. Under one of the most significant of these modifications, HIPAA will require a covered entity to notify affected individuals (and sometimes the U.S. Department of Health and Human Services and news media) when the covered entity discovers a breach of unsecured protected health information (PHI). A business associate will be required to notify the covered entity when it discovers this sort of breach. For these purposes, a breach is the unauthorized acquisition, access use, or disclosure of PHI, which compromises the security or privacy of the information. However, a breach will not be deemed to occur where a disclosure is made to an unauthorized person who would not reasonably have been able to retain the information.
The new rules provide that protected health information will be "unsecured" if it is not secured through the application of a technology or methodology that renders it unusable, unreadable, or indecipherable to unauthorized individuals and that meets standards specified in guidance published by the government. Complying with a 60-day statutory deadline for issuing that guidance, HHS has published information and a request for comments on these technologies and methodologies.
The guidance divides protected health information data into four categories: (1) "data in motion," (2) "data at rest," (3) "data disposed," and (4) "data in use." It provides safe harbors for securing PHI (at least electronic PHI) in three of these categories.
Specifically, the guidance identifies processes for encryption and destruction that covered entities and business associates may apply to prevent PHI from being considered unsecured. A valid encryption process must include two elements: a process or key that is kept confidential and an algorithm to transform data into a form where there is a low probability that the data can be given meaning without the use of that process or key. The standards set forth in the guidance for each of the categories of data follows:
Data in motion. Data in motion are data that move through a network or wireless transmission. To satisfy the safe harbor, data in motion must be secured through a valid encryption process that complies with the requirements of Federal Information Processing Standards (FIPS) 140-2. As appropriate, FIPS 140-2 includes standards described in the National Institute of Standards and Technology (NIST) Special Publications 800-52, 800-77, or 800-113 and certain other standards.
Data at rest. Data at rest are data that reside in databases, file systems, and other structured storage methods. Data at rest must be secured through a valid encryption process consistent with NIST Special Publication 800-111.
Data disposed. Data disposed include discarded paper records or recycled electronic media. Paper, film, or other hard-copy media must be shredded or destroyed so that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88 so the PHI cannot be retrieved.
Data in use. Data in use is data that are in the process of being created, retrieved, updated, or deleted. HHS issued no specific technology or methodology to secure data in use. It solicits comments on the appropriate methodology for securing data in this category.
If a covered entity and its business associates follow these safe harbor technologies or methodologies for PHI, they will not need to provide the notices otherwise required by HIPAA that PHI has been breached. Adherence to this guidance does not relieve covered entities or business associates from other applicable data privacy and security obligations under federal or state law (like the duty to mitigate harm as practicable) that may apply following a breach of individually identifiable information, including PHI.
Covered entities and business associates must comply with this guidance within 30 days after HHS publishes the HITECH interim final regulations on this subject. The HITECH interim final regulations should be issued no later than August 16, 2009 (180 days after the enactment of HITECH), which means covered entities and their business associates who seek to take advantage of the safe harbor will need to implement appropriate encryption and destruction processes by September 15, 2009 (and possibly earlier).
HHS is requesting comments on a range of topics that may affect the rules that appear in the interim final regulations.
With only a month between the issuance of those regulations and the deadline for compliance, covered entities and business associates may choose to start considering their options and implementing measures based on the recent guidance. As a preliminary matter, they may consider whether and how to implement processes that meet the safe harbor requirements.
On a separate track, they may re-evaluate their privacy and security measures to determine how well they protect PHI against breaches for which notification would be required. In conducting this evaluation, they may wish to take into account certain limited exceptions to the notice requirement, for example, for certain confined, inadvertent disclosures at a facility by an individual who is authorized to have access to PHI at that facility.
Covered entities and business associates may also contemplate changes to their relevant business associate agreements to account for appropriate reporting of these breaches and, at least potentially, for the allocation of responsibilities in the event of a breach.
Please feel free to contact the following members of our Employee Benefits and Executive Compensation and Health Care Groups for further information:
Jean C. Hemphill (215.864.8539; firstname.lastname@example.org)
Edward I. Leeds (215.864.8419; email@example.com)
Copyright © 2009 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This newsletter is a periodic publication of Ballard Spahr LLP and is intended to alert the recipients to new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer concerning your situation and specific legal questions you have.