Overly on Security

By Michael Overly
About this Blog:

The legal side of security.

| See Michael's Posts
Michael Overly

HHS Issues Guidance for Securing PHI

Posted May 03, 2009 to Data Protection |
. What's this?
If you are in the business of securing Personal Health Information (“PHI”) for a healthcare provider, you have no doubt read in detail the Health Information Technology for Economic and Clinical Health Act (HITECH Act) within the American Recovery and Reinvestment Act of 2009 (the “Act”).  As part of the Act, the Department of Health and Human Services (“HHS”) was tasked with defining the term “unsecured PHI” within 60 days of enactment of the HITECH Act.  As result, on April 17, HHS recently issues the Guidance Specifying the Technologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (the “Guidance”).



The Guidance distinguishes among four categories or states in which PHI is vulnerable:




-- Data in motion (e.g., network, wireless transmission)

-- Data at rest (e.g., databases, file systems, other storage)

-- Data in use (e.g., being created, retrieved, updated)

-- Data disposed (e.g., discarded paper records and electronic media)



Under the guidance, PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals and thus is not “unsecured PHI” if one or more of the following “safe harbors” apply:  the data is encrypted or destroyed.  With the exception of data in use, the Guidance provides specific direction for the technologies and methods for falling within these safe harbors.



 

Data at Rest.  Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. (www.csrc.nist.gov)


 

Data in Motion.  Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2, including:




– Standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations,

– 800-77, Guide to IPsec VPNs,

– 800-113, Guide to SSL VPNs, and

-- May include others which are FIPS 140-2 validated




Data in Use.  HHS Guidance has not addressed ways to protect such data.  The standard would likely default to what is reasonable under the circumstances and consistent with industry practice.


Data Disposed.  Data disposed means discarded paper records or recycled electronic media.  The media on which the PHI is stored or recorded must have been destroyed in one of the following ways:



– Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed

– Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved


 
Print
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
WHITE PAPER
Reduce Email Archives up to 60%

Clearwell Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.

» Learn More

WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)

Secunia The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.

» Learn More

Browse CSO Blogs

See all CSO Blogs »

Recent Comments

RESOURCE CENTER