HHS Issues Guidance for Securing PHI

If you are in the business of securing Personal Health Information (“PHI”) for a healthcare provider, you have no doubt read in detail the Health Information Technology for Economic and Clinical Health Act (HITECH Act) within the American Recovery and Reinvestment Act of 2009 (the “Act”).  As part of the Act, the Department of Health and Human Services (“HHS”) was tasked with defining the term “unsecured PHI” within 60 days of enactment of the HITECH Act.  As result, on April 17, HHS recently issues the Guidance Specifying the Technologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (the “Guidance”).

The Guidance distinguishes among four categories or states in which PHI is vulnerable:

— Data in motion (e.g., network, wireless transmission)

— Data at rest (e.g., databases, file systems, other storage)

— Data in use (e.g., being created, retrieved, updated)

— Data disposed (e.g., discarded paper records and electronic media)

Under the guidance, PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals and thus is not “unsecured PHI” if one or more of the following “safe harbors” apply:  the data is encrypted or destroyed.  With the exception of data in use, the Guidance provides specific direction for the technologies and methods for falling within these safe harbors.

Data at Rest.  Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. (www.csrc.nist.gov)

Data in Motion.  Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2, including:

– Standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations,

– 800-77, Guide to IPsec VPNs,

– 800-113, Guide to SSL VPNs, and

— May include others which are FIPS 140-2 validated

Data in Use.  HHS Guidance has not addressed ways to protect such data.  The standard would likely default to what is reasonable under the circumstances and consistent with industry practice.

Data Disposed.  Data disposed means discarded paper records or recycled electronic media.  The media on which the PHI is stored or recorded must have been destroyed in one of the following ways:

– Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed

– Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved