HHS Issues HITECH Act Guidance for Securing PHI Relative to Breach Notification Regulations

The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as a part of the American Recovery and Reinvestment Act of 2009 (ARRA) (i.e., the Stimulus Bill), requires the development of regulations requiring certain covered entities to provide thorough notification in the cases where there has been a breach of unsecured protected health information (PHI). These regulations will apply to covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This notification may include, depending on the size of the breach and the urgency of notification, written notice to the individual, conspicuous posting on the website, telephone contact when urgent, notice to prominent media outlets, notice to the U.S. Department of Health and Human Services (HHS) Secretary, and/or posting on the HHS web site.

However, these notification procedures can largely be avoided if the PHI has been secured through one of a number of methodologies or technologies.

On April 17, 2009, HHS issued guidance that specifies methodologies and technologies whose use renders information sufficiently unusable. Essentially, use of these methodologies creates a safe harbor, which results in covered entities and their business associates not being required to go through the notification procedures because the information breached is considered secured (secured PHI is unusable, unreadable, or indecipherable to unauthorized individuals).

HHS and the Federal Trade Commission (FTC) are each preparing to issue breach notification regulations. HHS regulations will apply to covered entities and business associates under HIPAA; FTC regulations will cover vendors of personal health records and other non-HIPAA covered entities.

The HHS guidance issued last month relates to these two forthcoming regulations, and suggests that successful encryption (depending on the strength of the encryption algorithm and the security of the descryption key or process) and destruction (of paper or electronic forms of information) are the only methodologies that sufficiently secure PHI. HHS is seeking comments and input regarding additional technologies, risks of re-identification, the use of limited data, and other considerations, to be received by May 21, 2009.

For more information on HIPAA, please call Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510, visit The HLP website’s Compliance and HIPAA page, or visit The HLP website.

Contact Information