Breach Notices, Securing PHI & PHR Vendor Responsibilities Under HIPAA/HITECH Act

Last Friday the US Department of Health and Human Services (HHS) released, at the last possible moment to meet their deadline, their interim final regulations to require covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) and their business associates (BAs) to provide for notification in the case of breaches of unsecured protected health information (PHI) as required by the HITECH Act.
If you’ve read any of the at least 47 U.S. state and territory beach notice laws you will get a strong sense of deja vu while reading this document. They borrowed HEAVILY from the various existing breach notice laws to estblished their proposed definitions of securing PHI, what constitutes a “breach” of PHI, and for doing breach notifications.
There are two major issues…

1) The methods that can be used to “secure,” according to the guidance, PHI.
There are two acceptable methods: encryption and destruction.
Encryption is the obvious method provided for securing ePHI, and the acceptable encryption methods were expectedly referencing NIST standards.
However, it is important to render disposed PHI, in all forms, irreversibly destroyed as well.
Here are the definitions provided for encryption and destruction:

“a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”15 and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
ii)Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
b)The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.”

The statement, “Note that the technologies and methodologies referenced below in Section B are intended to be exhaustive and not merely illustrative” is interesting; this makes it important for all information security and privacy folks who see gaps with these methods to submit feedback and comments during this review period.
A breach is defined as:

“For purposes of these provisions, “breach” is defined in the Act as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

The definition of a breach leaves much to be desired; it is much too subjective. Also, there are many incidents where authorized individuals did bad things with PHI, and all other types of personally identifiable information (PII), that should require notification as well.
2) Breach notice requirements for CEs, along with BA and PHR vendor breach notice responsibilities.
Breach notifications only need to be made for what falls under “unsecured” PHI. So, if someone gets hold of PHI that is encrypted using the referenced NIST encryption standards, then notification is not required.
Breach notification applies not only to CEs and BAs, but also personal health records (PHR) vendors.
Eh-hmm; Microsoft, Google and others, hope you read this! And also note that the FTC is enforcing this requirement for your types of organizations, and they have historically been much more aggressive in compliance activities. Heck, they had their breach notification draft posted for comment on April 16.
Here’s the passage of note related to this:

“Further, section 13407 of the Act defines “unsecured PHR identifiable information” as personal health record (PHR) identifiable health information that is not protected through the use of a technology or methodology specified in the Secretary’s guidance. Thus, this guidance also is to be used to specify the technologies and methodologies that render PHR identifiable health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of the temporary breach notification requirements that apply to vendors of PHRs and certain other entities (that are not otherwise HIPAA covered entities) under section 13407 of the Act. Section 13407 is to be administered by the Federal Trade Commission (FTC) and requires the FTC to promulgate regulations within 180 days of enactment.”

Notices for defined breaches must be made within 60 days of the discovery of the breach.
I like that email only notification cannot be made UNLESS the individuals impacted have provided consent for such type of notification.
I am very glad to see that the BAs are required to contact the *CE* upon discovery of a breach and let them do the notifications. This makes so much sense.
The CE is the entity with the direct relationship with the individual, and is ultimately responsible for ensuring the PHI is appropriately safeguarded.
The breach notice contents are also a big deja vu with the state breach notice laws.
It is important that CEs and BAs understand that these requirements for notification apply not only to electronic PHI, but also to PHI in other forms, such as paper.
If you have opinions about these proposed requirements, be sure to send in your comments and suggestions by posting to the HHS site, or one of the other provided methods, on or before May 21, 2009. If you have concerns, let your opinion be known!
If you want to gripe about these proposed documents then get active and do something about it!
Note that your comments will be posted online,

“All comments received before the close of the comment period will be available for public inspection, including any personally identifiable or confidential business information that is included in a comment. We will post all comments received before the close of the comment period at”

Tags: , , , , , , , , , , , , , ,

Leave a Reply