Guest Article

(From the April 27, 2009 issue of Deloitte's Washington Bulletin, a periodic update of legal and regulatory developments relating to Employee Benefits.)

HHS Proposes Encryption and Destruction as the Exclusive Methods for Securing PHI

As required under the HITECH Act, the Department of Health and Human Services issued guidance identifying the methodologies that will render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals. HITECH's new breach notification requirements will not apply to PHI that has been so secured through either encryption or destruction -- but HHS is seeking comments on whether PHI in limited data set form, or whether additional technologies and methodologies, should be added to the list.

Background

The American Recovery and Reinvestment Act enacted on February 17, 2009, included the Health Information Technology for Economic and Clinical Health (HITECH) Act, which made significant changes in the privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA). Among those changes were the extension of the HIPAA privacy, security and penalty provisions to business associates, the imposition of new notice requirements where breaches have occurred, and the application of increased civil penalties.

The HITECH Act requires HIPAA covered entities to notify affected individuals -- and requires business associates to notify covered entities -- following the discovery of a breach of unsecured PHI. It defines "unsecured PHI" as PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance. Under the Act, the Secretary of the Department of Health and Human Services (HHS) was required to issue guidance within 60 days after enactment. Meeting this deadline, on April 17, 2009, HHS posted guidance on its website. Although the guidance is immediately effective, it will apply only to breaches 30 days after publication of the forthcoming interim final regulations.

Proposed Methodologies for Securing PHI

The new breach notification requirements apply only to "unsecured PHI." The guidance describes the methodologies and technologies that are considered to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. Therefore, the guidance provides the means by which covered entities and their business associates will determine whether a breach has occurred that obligates them to provide notice. Although covered entities and business associates are not required to follow the guidance, it creates the functional equivalent of a safe harbor and results in them not being required to provide the notice otherwise required in the event of a breach. (However, the obligation under the HIPAA Privacy Rule to mitigate any harmful effects known to the covered entity as a result of the breach would still apply.)

Two exclusive means for rendering PHI "unusable, unreadable, or indecipherable to unauthorized individuals" are proposed in the guidance:

The guidance does not address the use of de-identified information as a method because once PHI has been de-identified in accordance with the HIPAA Privacy Rule it is no longer PHI and, therefore, not subject to the HIPAA Privacy and Security Rules.

The guidance does ask for comments on whether PHI in limited data set form (i.e., from which 16 direct identifiers have been removed) should be added as a safe-harbor methodology for securing PHI. In fact, HHS seeks comments on several specific issues, the resolution of which will likely go a long way toward easing the burden on covered entities and business associates to render PHI unusable, unreadable, or indecipherable to unauthorized individuals.

Comments are requested before May 21, 2009.

The information in this Washington Bulletin is general in nature only and not intended to provide advice or guidance for specific situations. If you have any questions or need additional information about articles appearing in this or previous versions of Washington Bulletin, please contact: Robert Davis 202.879.3094, Elizabeth Drigotas 202.879.4985, Mary Jones 202.378.5067, Stephen LaGarde 202.879-5608, Erinn Madden 202.572.7677, Bart Massey 202.220.2104, Mark Neilio 202.378.5046, Tom Pevarnik 202.879.5314, Sandra Rolitsky 202.220.2025, Tom Veal 312.946.2595, Deborah Walker 202.879.4955. Copyright 2009, Deloitte.