HHS released an interim final rule on breach notification and the acceptable methods for covered entities (CEs) and business associates (BAs) to encrypt and destroy patient records in order to prevent breaches of protected health information (PHI).
The American Recovery and Reinvestment Act (ARRA) of 2009 required HHS to issue the final guidance, six months after President Barack Obama signed into law Title XIII of the ARRA — the Health Information Technology for Clinical and Economic Health (HITECH) Act.
The breach notification regulations take effect September 23.
However, covered entities need not worry about HHS enforcement until February 22, 2010.
HHS says in the Federal Register it will "use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication of this rule, or February 22, 2010."
The regulations include the following:
- Notice to patients alerting them to breaches “without reasonable delay” within 60 days
- Notice to CEs by BAs when BAs discover a breach
- Notice to “prominent media outlets” about breaches of more than 500 patient records
- Notice to “next of kin” about breaches of patients who are deceased
- Notice to the secretary of HHS about breaches of 500 or more patient records without reasonable delay
- Annual notice to the secretary of HHS of breaches of fewer than 500 patient records when their PHI is unsecure (which poses a significant financial risk or other harm to the individual)
The Federal Trade Commission (FTC) also issued its final rule requiring some Internet-based businesses to notify consumers when there is a breach of consumer PHI, according to an FTC press release issued Monday.
The FTC rule applies only to vendors that offer personal health records that “provide online repositories that people can use to keep track of their health information.” The rule also applies to entities that offer third-party applications for personal health records, according to the release.
“This is just another example of trying to put some more teeth into the HIPAA regulations,” says Chris Simons, RHIA, director of UM & HIM and the privacy officer at Spring Harbor Hospital in Westbrook, ME. “Covered entities should already have been notifying patients of any breaches. It is an industry best practice.”
Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, says it’s important to note the HHS interim final rule states that, in general, accidental disclosures within the same organization do not require notification.
The interim final rule states, “if there is no significant risk of harm to the individual, then no breach has occurred and no notification is required.”
“Privacy officers should be breathing a sigh of relief that those faxes sent by mistake to one doctor instead of another, for instance, will not be required to be reported,” Simons says.
In this week’s interim final guidance, HHS added encryption layers to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in the draft guidance released in April.
In the interim final rule, the definitions for acceptable encryption include the following. This guidance will be updated annually:
- Electronic PHI encrypted as specified in the HIPAA Security Rule. This includes "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key."
- Valid encryption processes for PHI in databases consistent with National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
- Valid encryption processes for PHI flowing through a network, including wireless, that comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs ; 800-113, Guide to SSL VPNs ; and others validated by Federal Information Processing Standards (FIPS) 140-2.
The definitions for acceptable destruction include the following:
- Paper, film, or other hard copy media shredded or destroyed so PHI cannot be read or reconstructed. Redaction is specifically excluded as a means of data destruction.
- Electronic media cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization.
Comments on the provisions of this interim final rule are due on or before October 23, 2009.