HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Draft guidance on rendering PHI unusable or indecipherable posted; comment period runs through May 21

April 17, 2009

The federales posted today, for a brief comment period, proposed guidance on how to render PHI unusable, unreadable or indecipherable to unauthorized individuals.  (This keys into the FTC's proposed interim breach notification rule, released yesterday, as well.) In addition to input on the technical specifications reproduced below, the agency is soliciting comments (as set forth further below) on a broad range of policy issues – rendering PHI unreadable, but also on breach notification provisions generally.  The full notice is linked to from the page linked above, but here is the meat of the proposal:

B. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
ii) Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.

b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

III. Solicitation of Comments

A. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

The Department is seeking comments on its guidance regarding the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals for purposes of section 13402(h)(2) of the Act. In particular, the Department is interested in receiving comments on the following:

1. Are there particular electronic media configurations that may render PHI unusable, unreadable, or indecipherable to unauthorized individuals, such as a fingerprint protected Universal Serial Bus (USB) drive, which are not sufficiently covered by the above and to which guidance should be specifically addressed?
2. With respect to paper PHI, are there additional methods the Department should consider for rendering the information unusable, unreadable, or indecipherable to unauthorized individuals?
3. Are there other methods generally the Department should consider for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals?
4. Are there circumstances under which the methods discussed above would fail to render information unusable, unreadable, or indecipherable to unauthorized individuals?
5. Does the risk of re-identification of a limited data set warrant its exclusion from the list of technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals? Can risk of re-identification be alleviated such that the creation of a limited data set could be added to this guidance?
6. In the event of a breach of protected health information in limited data set form, are there any administrative or legal concerns about the ability to comply with the breach notification requirements?
7. Should future guidance specify which off-the-shelf products, if any, meet the encryption standards identified in this guidance?

B. Breach Notification Provisions Generally

In addition to public comment on the guidance, the Department also requests comments concerning any other areas or issues pertinent to the development of its interim final regulations for breach notification. In particular, the Department is interested in comment in the following areas:

1. Based on experience in complying with state breach notification laws, are there any potential areas of conflict or other issues the Department should consider in promulgating the federal breach notification requirements?
2. Given current obligations under state breach notification laws, do covered entities or business associates anticipate having to send multiple notices to an individual upon discovery of a single breach? Are there circumstances in which the required federal notice would not also satisfy any notice obligations under the state law?
3. Considering the methodologies discussed in the guidance, are there any circumstances in which a covered entity or business associate would still be required to notify individuals under state laws of a breach of information that has been rendered secured based on federal requirements?
4. The Act’s definition of “breach” provides for a variety of exceptions. To what particular types of circumstances do entities anticipate these exceptions applying?

Comments will be accepted through May 21.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Ehealth, EHR, Health care policy, Health Law, HIPAA, HIT, Privacy

you might also like:

  1. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  2. OCR releases HIPAA privacy rule guidance on de-identifying PHI

  3. Son of HIPAA Breach Notification Rules

« MGH pediatric heart surgery: Volume, volume, volume, or, How low can you go?
Blawg Review goes green »

Follow me on Twitter

David Harlow 💉😷 Follow 42,915 17,570

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
2h 1620898131004072027

The Harlow #Healthcare #Innovation Daily #digitalhealth #hcldr #HarlowOnHC Thanks to @Mr_Don_Auto @KardonHIPAA @vadernauts #digitalhealth #healthtech

Image for twitter card

'She handed the police my entire prescription list': Customer claims CVS called the police on him, violated HIPAA

dailydot.com A TikToker revealed a CVS Pharmacy pharmacist called him “insane” and reported him to police ...

paper.li

Reply on Twitter 1620898131004072027 Retweet on Twitter 1620898131004072027 0 Like on Twitter 1620898131004072027 0 Twitter 1620898131004072027
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
5h 1620842034113175552

ICYMI> Interoperability and NLP with Kyle Silvestro, CEO of SyTrue — Harlow On Healthcare https://healthblawg.com/2022/03/interoperability-nlp-sytrue.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Interoperability and NLP Twitter feed image.
Reply on Twitter 1620842034113175552 Retweet on Twitter 1620842034113175552 0 Like on Twitter 1620842034113175552 0 Twitter 1620842034113175552
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
8h 1620801819612946434

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @TWDigitalHealth @MrsYisWhy @thecommunityvc #digitalhealth #healthtech

Image for twitter card

Artificial intelligence model finds potential drug molecules a thousand times faster

techxplore.com The entirety of the known universe is teeming with an infinite number of molecules. But what fraction...

paper.li

Reply on Twitter 1620801819612946434 Retweet on Twitter 1620801819612946434 0 Like on Twitter 1620801819612946434 0 Twitter 1620801819612946434
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]