Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

HHS Guidance Specifies Technologies to Secure PHI

http://www.mondaq.com/article.asp?articleid=79170

The American Recovery and Reinvestment Act passed at the end of February contains a number of changes to HIPAA privacy and security rules. Among the most important changes are new notification obligations in cases of breaches of protected health information (PHI).

Limiting the amount of "unsecured" PHI is another way to reduce likelihood of a reportable breach. HHS guidance published April 17 specifies technologies that secure PHI by rendering it unusable, unreadable or indecipherable to unauthorized individuals. If health plans apply the technologies and methodologies specified in the guidance to secure information, they will not be obligated to provide ARRA notifications in the event the information is breached.

Under the guidance, PHI is rendered unusable, unreadable or indecipherable to unauthorized individuals only if one or more of the following applies:

Encryption. Electronic PHI has been encrypted by "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key" and such confidential process or key has not been breached. Encryption processes that meet this standard for data at rest (data in databases, file systems and other structured storage methods) are those consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion (data that is moving through a network, including wireless transmission) must comply with Federal Information Processing Standards 140-2.