In your recent tip on the updates to HIPAA, you mentioned that the secretary of the Department of Health and Human
Services would publish guidance in April for the business partners of covered entities. Now that HHS has responded, what exactly are the key compliance guidelines for business partners? What must partners do to avoid being subject to the same civil and criminal penalties as covered entities?
To date, the Department of Health and Human Services (HHS) has published some preliminary guidance for encrypting or otherwise obfuscating Personal Health Information (PHI). This is due to requirements (c) and (h) of section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).
This preliminary HHS HIPAA guidance (.pdf) relates to both electronic and paper records, and though it appears to be on the wordy side, most of the necessary information is at the end of page 16. In sum: encrypt data at rest in accordance with NIST 800-111, Guide to Storage Encryption Technologies for End User Devices, and data in motion using FIPS 140-2 certified services.
Similarly for HIPAA-compliant data destruction, either shred documents appropriately or destroy media in line with NIST 800-88, Guidelines for Media Sanitization.
These HIPAA encryption requirements are particularly interesting (if they make it onto the final version of the requirements), as Windows 2000 is not FIPS 140-2 certified (it is however FIPS 140-1 certified.) So, in order to be compliant with HITECH, all covered entities and business associates will either have to migrate off of any Windows 2000 servers that are still housing PHI, or start using an alternate validated product such as OpenSSL or Apache; this may end up being expensive in terms of license fees. Even if you go the open source route, it could require additional hardware and could result in a learning curve for your staff if they don't already have expertise with these products.
- What does the future of the endpoint encryption market look like? Read more.
- Read more about the difference between AES and DES encryption.
Dig deeper on HIPAA
Related Q&A from David Mortman, Contributor
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.