HHS issues guidance on protecting PHI

The HITECH Act requires the US Department of Health and Human Services to provide guidance on the technologies and methodologies to protect "unsecured protected health information" (UPHI) by making it unusable, unreadable, or indecipherable to unauthorized individuals. By protecting UPHI, covered entities and their business associates can avoid the breach notification requirements of the Act.

The guidance document released on April 17, 2009, covers all data states, with all but the first requiring proper handling by encryption or destruction:
  • data in use: data in the process of being created, retrieved, updated, or deleted
  • data in motion: data that is moving through a network, including wireless transmission
  • data at rest: data that resides in databases, file systems, and other structured storage methods
  • disposed data: discarded paper records or recycled electronic media
For encryption, the document warns of the need to properly select the encryption algorithm and to properly secure the decryption key(s). For data at rest, the guidance refers to NIST 800-111; for data in motion, the guidance refers to FIPS 140-2 (including NIST 800-52, 800-77, or 800-113).

For destruction, the document states that electronic media must have been "cleared, purged, or destroyed" according to NIST 800-88 to prevent retrieval. For paper media, it should be shredded or destroyed such that it cannot be reconstructed.

Src: HHS Releases Guidance for Securing Health Information and Preventing Harm from Breaches

No comments: