HHS & FTC Breach Notice Rules: First Time NIST Standards Specifically Referenced

The Department of Health and Human Services (HHS) issued their interim final rule for breach notification standards on August 19. Federal Trade Commission (FTC) issued their final rule of breach notification standards on August 17. The HHS rule covers all healthcare covered entities (CEs) and business associates (BAs). The FTC rule covers all personal health record (PHR) vendors and their service providers…


It is interesting to note that, according to Peter McLaughlin, a lawyer at Foley & Lardner in Boston, this is the first time the HHS and FTC have pointed to any types of standards, in this case specifically NIST standards, as a solid reference for compliance within regulations. In this case it is for the use of a specific minimum level of encryption that can be used as a type of safe harbor to consider protected health information (PHI) as being secured, even if there is unauthorized access to it, so that no notification is necessary.
As noted in the HHS rule:

“Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated”


NOTE: For these docs see http://www.csrc.nist.gov/.
I wish more of the data protection laws and regulations would reference minimum standards from NIST, or some other widely-recognized standards authority! It would take a lot of the ambiguity and confusion out of trying to meet compliance that so many organizations struggle with.

Tags: , , , , , , , , , , , , , ,

Leave a Reply