Ask the Expert

HHS HIPAA guidance on encryption requirements and data destruction

In your recent tip on the updates to HIPAA, you mentioned that the secretary of the Department of Health and Human Services would publish guidance in April for the business partners of covered entities. Now that HHS has responded, what exactly are the key compliance guidelines for business partners? What must partners do to avoid being subject to the same civil and criminal penalties as covered entities?

    Requires Free Membership to View

To date, the Department of Health and Human Services (HHS) has published some preliminary guidance for encrypting or otherwise obfuscating Personal Health Information (PHI). This is due to requirements (c) and (h) of section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).

This preliminary HHS HIPAA guidance (.pdf) relates to both electronic and paper records, and though it appears to be on the wordy side, most of the necessary information is at the end of page 16. In sum: encrypt data at rest in accordance with NIST 800-111, Guide to Storage Encryption Technologies for End User Devices, and data in motion using FIPS 140-2 certified services.

Similarly for HIPAA-compliant data destruction, either shred documents appropriately or destroy media in line with NIST 800-88, Guidelines for Media Sanitization.

These HIPAA encryption requirements are particularly interesting (if they make it onto the final version of the requirements), as Windows 2000 is not FIPS 140-2 certified (it is however FIPS 140-1 certified.) So, in order to be compliant with HITECH, all covered entities and business associates will either have to migrate off of any Windows 2000 servers that are still housing PHI, or start using an alternate validated product such as OpenSSL or Apache; this may end up being expensive in terms of license fees. Even if you go the open source route, it could require additional hardware and could result in a learning curve for your staff if they don't already have expertise with these products.

For more information:

This was first published in June 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: