U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, has issued the Interim Final Rule for Breach Notification for Unsecured Protected Health Information. The Interim Final Rule was signed by Secretary Sebelius on August 6, 2009, filed at the Federal Register on Wednesday, August 19, 2009, and will be published on Monday, August 24, 2009, in the Federal Register. The effective date of the Interim Final Rule will be 30 days after publication, and will cover both covered entities and business associates of covered entities. Here is the Summary of the Interim Final Rule:
“The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to require notification of breaches of unsecured protected health information. Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009, requires HHS to issue interim final regulations with 180 days to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification in the case of breaches of unsecured protected health information. For purposes of determining what information is ‘unsecured protected health information,’ in this document HHS is also issuing an update to its guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.”
Here is the updated guidance that appears in the Interim Final Rule:
“B. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:
(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ [45 CFR 164.304, definition of ‘encryption’] and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices [Available at http://www.csrc.nist.gov; NIST Roadmap plans include the development of security guidelines for enterprise-level storage devices, and such guidelines will be considered in updates to this guidance, when available.]
(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated [available at http://www.csrc.nist.gov.]
(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization [available at http://www.csrc.nist.gov], such that the PHI cannot be retrieved.”
Comments on the provisions of the Interim Final Rule are due on or before 60 days after the publication date [of August 24, 2009], and instructions for filing comments are included in the Interim Final Rule. Comments regarding guidance “received in response to the interim final rule will be addressed in the first annual update to the guidance, to be issued in April 2010.”
HIPAA.com will have available on its site the official published version of the Guidance on August 24, 2009, and recommends that you consult the online version cited above for an early look, but rely on the published Federal Register version, when published.