Decrypting HHS Guidance on Breach Notification and Security under the HITECH Act: NIST, FIPS, and More

Posted on June 5, 2009 by Proskauer Rose LLP

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).

As we previously reported, the HITECH Act’s notification requirements for breaches of unsecured PHI apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must “compromise[] the security or privacy of such information.” HITECH Act at §13400(1)(A). The newly issued HHS guidance lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the HHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements, although these breaches may still be subject to state law notification requirements.

This HHS guidance also is to be used to render identifiable health information unusable, unreadable, or indecipherable for purposes of the temporary breach notification requirements that apply to vendors of PHRs, the requirements for which are to be administered by the Federal Trade Commission (which in turn issued proposed regulations, on April 16, 2009, addressing consumer notice for breaches of electronic health information by PHRs).

The HHS guidance provides two methods of securing information for the purposes of the HITECH Act: destruction and encryption. Destruction may secure information that was found in either paper format or in electronic media. In order to satisfy the destruction method, the paper or other hard copy media must be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged, or destroyed in accordance with the specifications set forth in National Institute of Standards and Technology (NIST) Special Publication 800-88. 74 Fed. Reg. at 19010.

According to the guidance, the effectiveness of encryption depends on the strength of the algorithm and the security of the decryption key or process. PHI is not secure if the decryption key or process has been breached. Encryption only secures PHI if, in accordance with the HIPAA Security Rule, an algorithm “transform[s] data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.” 45 C.F.R. § 164.304. Accordingly, the HHS guidance only specifies encryption processes that have been tested and approved by NIST. Data at rest, which is filed or stored in a database, should be encrypted according to the processes outlined in NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion, including that being transmitted or moving through a network, should comply with Federal Information Processing Standards (FIPS) 140-2. Some examples of conforming processes for data in motion are outlined in NIST Special Publications 800-52 (relating to Transport Layer Security (TLS) Implementations); 800-77 (addressing IPsec VPNs); and 800-113 (SSL VPNs), and may include others which are FIPS 140-2 validated.

Since the technologies and methodologies in the guidance are intended to be exhaustive, the Secretary of HHS sought comments regarding additional technologies or methodologies for inclusion in future guidance. HHS also requested comments on various other related issues, including instances when specified technologies and methodologies would fail to secure information, how the federal notice requirements affect existing state law requirements, and whether and how limited data sets (created in accordance with the HIPAA Privacy Rule) could be included in this guidance. This HHS guidance will be closely watched not only as it relates to federal law, but also as to how it informs state law interpretations. Encryption remains undefined under state law, and the HHS guidance provides a potentially important source of interpretation.

This guidance will apply to breaches that occur at least thirty days after publication by HHS of the interim final regulations on breach notification (which have not yet been issued). Any modifications to this guidance based on comments received are expected to be made prior to or concurrent with those regulations.

Proskauer summer associate Katrina McCann contributed to this post.
Tags: , , , , , , , , , , , , ,

HHS Enters Into First Monetary Settlement Under HIPAA

Posted on August 29, 2008 by Proskauer Rose LLP

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

 The circumstances underlying the Resolution Agreement were at least five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients. Providence, in accordance with state notification laws, advised patients of the loss of their information. More than 30 of those patients subsequently complained to HHS, although there is no evidence that any of their personal information was wrongfully used as a result of these incidents. The HHS Office of Civil Rights, responsible for enforcing the privacy regulations under HIPAA, and the HHS Centers for Medicare & Medicaid Services, responsible for enforcing the security regulations under HIPAA, jointly investigated these complaints, focusing on Providence's failure to implement policies and procedures to safeguard the ePHI.

Pursuant to the Corrective Action Plan, for the next three years Providence must:

 

▪           Provide copies to HHS, for its review and approval, of policies and procedures that address physical and technical safeguards for off-site storage and transport of electronic media containing ePHI;

▪           Following HHS approval of these security policies and procedures, provide to HHS evidence that Providence has implemented such policies and procedures, and distributed them to all applicable members of its workforce;

▪           Require a signed certification from each workforce member that such person has read, understood and will follow such policies and procedures;

▪           Annually assess such policies and procedures, and revise as appropriate;

▪           Train all workforce, including obtaining a signed certification of training from each workforce member before s/he may transport a portable device containing ePHI, or conduct off-site storage or transport of backup media containing ePHI;

▪           Notify HHS if it discovers that a workforce member violated any of these procedures;

▪           Conduct quarterly “Monitor Reviews,” including unannounced site visits, interviews of employees and inspection of portable devices to ensure compliance with these policies, and provide records of such monitoring to HHS; and

▪           Submit annual reports to HHS that show its compliance with this Plan.

When considered individually, none of the reported security incidents experienced by Providence in 2005 and 2006 was extraordinary. Virtually every day the media includes reports of laptop losses or thefts. Further, the HIPAA privacy and security regulations do not explicitly prohibit off-site access or transport of ePHI, and do not require encryption of ePHI in all circumstances. While security practices are still evolving, at the time of these incidents, it was not uncommon for health care organizations to maintain unencrypted ePHI in storage media, or to permit employees to remotely access ePHI.

When considered collectively, however, the occurrence at Providence of five similar security incidents over a six month period is more noteworthy and relevant for other health care organizations. Further, the types of remedial measures included in the Corrective Action Plan provide evidence of HHS’ focus in this area, and serves as additional guidance for HIPAA-covered entities. As a starting point, a covered entity should review its current privacy and security policies and procedures to determine if they remain relevant, consistent with the experience of the organization, and current with technological advances. Annual reviews should follow. If a HIPAA-covered entity instituted security policies and procedures in 2003 or 2004, those may no longer be reasonable in 2008, and may no longer be consistent with security procedures at other similar organizations. In addition to keeping abreast of industry standards, companies should follow applicable guidance from HHS. In connection with the particular incidents at Providence, in late 2006, HHS issued guidance on the use of portable media, and offsite access and transport of ePHI.

Any time privacy and security policies and procedures are updated, copies of such revised policies and procedures should be distributed to all applicable employees, and such employees should be retrained in the revised procedures. Next, in the event of a privacy breach or other security incident, a covered entity should immediately investigate the cause of the incident, review its then current policies and procedures to determine what additional measures should be taken to avoid future similar incidents, promptly institute any necessary revisions to policies and procedures, and distribute revised policies and retrain employees as applicable. Periodic monitoring of compliance with existing privacy and security policies and procedures is also advisable. Finally, all privacy and security policies and procedures, and training in such policies and procedures should be actively documented.

In light of the Providence settlement, as well as HHS’ announcement earlier this year that it intends to conduct security audits of HIPAA-covered entities, it appears that we are now moving into an era where HHS is taking a more active role in HIPAA enforcement, particularly with respect to security of electronic health information. 
Tags: , , , ,