I have had a chance to review the guidance from HHS on rendering protected health information ("PHI") unusable, unreadable, or indecipherable. There are a few points of interest to providers.
First, the guidance is effective as of APril 17, 2009. However, you have until May 21, 2009 to submit comments on the guidance.
The first nine pages simply discuss the comment period and the background that led HHS to issue this guidance. The actual guidance begins on page 9, but starts with more background on the process of issuing the guidance and settling on certain technologies and methodologies. HHS does this, because they are requesting comments regarding additional technologies and/or methodologies that they may have left out. HHS is very interested in hearing from providers and others about other potential technologies. Depending upon the comments it receives, HHS may update the guidance with additional technologies and/or methodologies.
The guidance also discusses HHS's considerations regarding how to treat a limited data set under this guidance. HHS is not certain whether a limited data set should be treated as unusable, unreadable, etc. or if it should require additional steps. It is uncertain, because some experts believe a limited data set could be easily re-identified by using the information in the limited data set and comparing to other public sources. IN response to this concern, HHS is seeking comments regarding whether additional information should be removed from the limited data set. This could be removing the month and day of birth or the last three digits of a five digit zip code.
Finally, the guidance actually gets to providing the guidance HHS was instructed to provide in the ARRA. The guidance addresses PHI in motion and at rest. It also addresses disposal of PHI. EPHI is considered unusable, unreadable, or indecipherable if it is encrypted. The guidance refers to the security rule's definition of encryption. The guidance states that valid encryption processes for data at rest are those that are consistent with NIST Special Publication 800-111 .
The guidance states that valid encryption processes for data in motion are those that comply with Federal Information Processing Standards (FIPS) 140-2. These include standards described in NIST Special Publications 800-52, 800-77, 800-113, and others which are FIPS 140-2 validates.
Finally, the guidance addresses disposal of PHI and EPHI. For PHI on "paper, film, or other hard copy media" the media is shredded or destroyed such that the PHI cannot be read or reconstructed. For EPHI, the media has been purged, cleared, or destroyed consistent with NIST Special Publication 800-88.
The good news, is that HHS did not specify particular software, hardware, equipment, or procedures. Each provider is free to address these steps using whatever tools they desire, as long as the comply with the standards set out in the referenced NIST publications. I think providers will find that gives them some flexibility in choosing response options.
The other interesting point is that HHS adopted the model used by most states in their electronic data breach laws. That model requires notification of breaches, unless the breach is of encrypted information. HIPAA now has the same model, but specifically applicable to PHI. Remember, these steps are not mandatory. Following this guidance is simply a way to avoid the breach notification requirements added to HIPAA under the HITECH Act.
It is conceivable that some providers may determine the risks of a breach are low enough and the cost of a resulting notification are low enough; that when compared with the cost of implementing encryption, providing notification is cheaper. There are of course other factors, negative PR, etc. that should be considered. In the short run, it may seem cheaper to provide after the fact notification, but at what cost to patient relationships and goodwill? If patients think you cannot be trusted with PHI, they may go elsewhere which means in the long run such a choice could be more expensive than you think.
Comments