HHS Guidance on Securing PHI
On April 17th the Department of Health and Human Services (“HHS”) released guidance (hitechrfi1 ) ”specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of the breach notification requirements” (the “Guidance”) pursuant to section 13402 of the American Recovery and Reinvestment Act of 2009. The guidance was effective upon issuance (April 17, 2009). Comments can be submitted on or before May 21, 2009 by posting on the HHS web site at http://www.hhs.gov/ocr/privacy.
Section 13402(h) defines “unsecured protected health information” as protected health information that is not secured through the use of a technology or methodology specified by the Secretary. Encryption and destruction are the only recognized methods. Details of implementing these two methodologies depend upon the situation and the process by which the data are encrypted and/or destroyed. HHS Guidance refers the reader to an array of National Institute of Standards and Technology (NIST) special publications.
HHS has raised the bar for covered entities, business associates, and vendors of personal health records. Unlike the HIPAA Privacy and Security regulations NIST publications provide very specific criteria that must be met. As a consequence we expect what HHS deems to be an appropriate level of due diligence will be something much different as we look to the future of HIPAA compliance. We can be sure a thorough analysis by a covered entity as to the application of physical, technical and administrative safeguards will be essential. By my count covered entities and business associates must become familiar with at least ten of the core NIST special publications to gain a working understanding of the methods by which PHI can be rendered unreadable, destroyed, etc.
The Guidance defines a framework on which appropriate safeguards for securing protected health information can be rationally evaluated. For example, the Guidance specifies vulnerabilities and where safeguards may need to be deployed to mitigate threats to protected health information. The following data “states” are enumerated within the Guidance:
- Data in motion meaning data that is moving through a network, including wireless transmission;
- Data at rest meaning data that resides in databases, file systems, and other structured storage methods;
- Data in use meaning data in the process of being created, retrieved, updated, or deleted; and
- Data disposed meaning discarded paper records or recycled electronic media).
While these categories are not new to computer security practitioners they represent a much more advanced approach as compared against earlier HIPAA privacy and security guidance. (Guidance at 12). The Guidance notes that HHS consulted the NIST when identifying appropriate safeguards. The reader is also directed to review the NIST Special Publication 800-66-Revision1 “An Introductory Resource Guide for Implementing the HIPAA Security Rule“.
Encryption is one of the core methods to render PHI unreadable; however encryption encompasses domains such as cryptology, number theory, and crypto analysis for even the most well versed security expert understanding how to encrypt information properly is complex. HHS solves this problem simply by relying on NIST. PHI must be encrypted using a NIST approved algorithm and procedure to be considered unreadable. Electronic PHI is encrypted when “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304) and key to decrypt the PHI has not been breached. Encryption identified by NIST and judged to meet this standard NIST’s encryption standards is acceptable to render PHI unreadable. (Guidance at 16). Current acceptable encryption methods include:
- For data at rest the reader those methods contained within NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Device; and
- For data in motion those methods contained within the Federal Information Processing Standards (FIPS) 140-2 are acceptable. These methods are explained in detail in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113,Guide to SSL VPNs, and others which are FIPS 140-2 validated. (Guidance at 17).
In addition to encryption, destruction is also considered an acceptable method to render PHI unreadable and/or unusable.
Acceptable methods for destroying PHI at this time:
- Paper, film, or other hard copy media be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed; and
- Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88,Guidelines for Media Sanitization, such that the PHI cannot be retrieved. (Guidance at 17).