• HHS Guidance Describes Safe Harbor from Data Breach Notification Requirements
  • June 2, 2009 | Author: Allen E. Briskin
  • Law Firm: Davis Wright Tremaine LLP - San Francisco Office
  • On April 17, 2009, the Department of Health and Human Services (HHS) issued "Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act)." The February 2009 American Recovery and Reinvestment Act (ARRA) required HHS to publish this Guidance.

    The Guidance describes what is essentially a "safe harbor" from within which covered entities and business associates need not comply with ARRA’s data breach notification requirements. At its center, the Guidance establishes an encryption and destruction standard for health information, and explains that covered entities and business associates will not be subject to ARRA’s data breach notification requirements for breaches of data that is encrypted or destroyed in accordance with this standard.

    Although the Guidance raises more questions than answers, it does offer a process-oriented approach. Entities and business associates covered by the Guidance should take careful note of its provisions, and, if needed, provide input to HHS. The Guidance solicits comments, which must be made before May 21, 2009.

    HHS’s issuance of the Guidance corresponded to the Federal Trade Commission’s publication of proposed rules concerning data breach notification requirements for developers of personal health record (PHR) systems and related entities, which we discussed in our advisory "FTC as Enforcer: Proposed Data Breach Notification Rule for Personal Health Records."

    Background

    ARRA requires HHS to issue interim final regulations within 180 days of ARRA’s enactment regarding the obligations of Health Insurance Portability and Accountability Act (HIPAA) covered entities and their business associates to notify individuals whose unsecured protected health information (PHI) has been, or is reasonably believed to have been, inappropriately accessed, acquired or disclosed to unauthorized persons (i.e., a “breach”).

    The Guidance performs an important regulatory function, by describing the measures a covered entity or business associate may take to "secure" protected health information by making it unusable, unreadable or indecipherable to unauthorized persons. PHI that has been rendered unusable, unreadable or indecipherable by using the means described in the Guidance will not be "unsecured" PHI, and the forthcoming breach notification requirements will not apply in the event of breaches in the security of that information.

    The Guidance offers two approaches for rendering PHI unusable, unreadable or indecipherable to unauthorized individuals: encryption and destruction.

    Encryption

    Under the HIPAA Security Rule, PHI is deemed to be encrypted by "the use of an algorithmic process to transform the data into a form in which there is a low probability of assigning meaning without use of a confidential process or key," and the decryption process or key has not been breached.

    The Guidance identifies the following encryption processes as having been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard:

    1. For "data at rest" (i.e., data that resides in databases, file systems and other structured methods), the approved encryption processes are those that are consistent with NIST Special Publication 800-111, "Guide to Storage Encryption Technologies for End User Devices."
    2. For "data in motion" (i.e., data that is moving through a network, including wireless transmission), the approved encryption processes are those that comply with the requirements of the Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, "Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations"; 800-77, "Guide to IPsec VPNs"; or 800-113, "Guide to SSL VPNs," and may  include others which are FIPS 140-2 validated.

    Destruction

    Under the Guidance, destruction of PHI requires the destruction of the media on which it is stored or recorded in one of the following ways:

    1. Hard-copy media such as paper or film must be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
    2. Electronic media must be cleared, purged or destroyed consistent with NIST Special Publication 800-88, "Guidelines for Media Sanitation," such that the PHI cannot be retrieved.

    Additional comments sought

    The Guidance solicits comments from the public regarding the technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized persons. HHS has expressed particular interest in comments addressing the following questions:

    1. Whether there are particular electronic media configurations, such as a fingerprinted universal serial bus (USB) drive, which may not meet the requirements for “data at rest” described above, but which should be discussed in subsequent iterations of the Guidance.
    2. Whether there are additional methods, i.e., other than destruction as described above, that HHS should consider sufficient for paper records.
    3. Whether there are other methods generally that HHS should consider as sufficient to render PHI unusable, unreadable or indecipherable by unauthorized individuals.
    4. Whether there are circumstances in which the measures described above would not be sufficient to render PHI unusable, unreadable or indecipherable by unauthorized individuals.
    5. The Guidance states that the encryption and destruction standards described above apply even if the PHI is included in a limited data set (i.e., a data set including PHI but from which 16 direct identifiers listed in the HIPAA Privacy Rule have been removed, including the individual’s name, address, Social Security number and account number), and asks whether, given the additional difficulty of re-identifying that information, a different standard ought to apply to measures to render information in a limited data set unusable, unreadable or indecipherable by unauthorized individuals.
    6. Whether there are administrative or legal concerns involving a breach of information in a limited data set that would make it impossible or unduly difficult to comply with the breach notification requirements.
    7. Whether, in the future, HHS should identify off-the-shelf products, if any, that meet the encryption standards described in the Guidance.

    Comments are to be submitted to HHS by May 21, 2009.

    What this Guidance portends

    The Guidance offers some insight as to the likely direction of HHS’s forthcoming regulations for the data breach notification requirements. Because the Guidance offers instruction for how to “secure” paper records, HHS is confirming that the data breach notification requirements apply to breaches involving information in either electronic or non-electronic form.

    The Guidance states that by using the encryption and/or destruction methods it describes, covered entities and business associates may determine which breaches require compliance with the notification requirements.

    If a breach does not involve “unsecured” PHI, that is, PHI that has not been rendered unusable, unreadable or indecipherable by unauthorized individuals by one of these methods, the covered entity or business associate need not provide notification. If a breach occurs, but the covered entity or business associate can determine that the information that was inappropriately disclosed or acquired had been “secured” by the means described in the Guidance, it would not be required to provide notification.

    The Guidance thus offers a process-oriented approach by which a covered entity or business associate may subject all its information and, at least insofar as the breach notification requirements are concerned, not police breaches of that information themselves. Covered entities and business associates would, of course, still be obligated under the Privacy Rule and the Security Rule to adopt measures designed to prevent such breaches.