• United States



HHS Issues Guidance for Securing PHI

May 03, 20093 mins
Data and Information Security

If you are in the business of securing Personal Health Information (“PHI”) for a healthcare provider, you have no doubt read in detail the Health Information Technology for Economic and Clinical Health Act (HITECH Act) within the American Recovery and Reinvestment Act of 2009 (the “Act”).  As part of the Act, the Department of Health and Human Services (“HHS”) was tasked with defining the term “unsecured PHI” within 60 days of enactment of the HITECH Act.  As result, on April 17, HHS recently issues the Guidance Specifying the Technologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (the “Guidance”).

The Guidance distinguishes among four categories or states in which PHI is vulnerable:

— Data in motion (e.g., network, wireless transmission)

— Data at rest (e.g., databases, file systems, other storage)

— Data in use (e.g., being created, retrieved, updated)

— Data disposed (e.g., discarded paper records and electronic media)

Under the guidance, PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals and thus is not “unsecured PHI” if one or more of the following “safe harbors” apply:  the data is encrypted or destroyed.  With the exception of data in use, the Guidance provides specific direction for the technologies and methods for falling within these safe harbors.

Data at Rest.  Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. (

Data in Motion.  Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2, including:

– Standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations,

– 800-77, Guide to IPsec VPNs,

– 800-113, Guide to SSL VPNs, and

— May include others which are FIPS 140-2 validated

Data in Use.  HHS Guidance has not addressed ways to protect such data.  The standard would likely default to what is reasonable under the circumstances and consistent with industry practice.

Data Disposed.  Data disposed means discarded paper records or recycled electronic media.  The media on which the PHI is stored or recorded must have been destroyed in one of the following ways:

– Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed

– Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author