HIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Recently, HIPAA.com answered the question of particular interest to several readers: what exactly is protected health information (PHI)? In this posting, we answer the question: what are the fundamental properties that underlie privacy and security of protected health information?
Three Key Properties
The three key properties that underpin privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) are availability, confidentiality, and integrity.
Availability is the property that data or information is accessible and useable upon demand by an authorized person.
Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes.
Integrity is the property that data or information have not been altered or destroyed in an unauthorized manner.
These definitions appear in 45 CFR § 164.304, where CFR is Code of Federal Regulations. Part 164 covers Security and Privacy. These definitions fall into Subpart C, which covers Security Standards for the Protection of Electronic Protected Health Information. These properties also underpin the “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals’ that appears in the Interim Final Rule: Breach Notification for Unsecured Protected Health Information, issued by the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and published in the Federal Register on August 24, 2009.