To date, the Department of Health and Human Services (HHS) has published some preliminary guidance for encrypting or otherwise obfuscating Personal Health Information (PHI). This is due to requirements (c) and (h) of section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).
This preliminary HHS HIPAA guidance (.pdf) relates to both electronic and paper records, and though it appears to be on the wordy side, most of the necessary information is at the end of page 16. In sum: encrypt data at rest in accordance with NIST 800-111, Guide to Storage Encryption Technologies for End User Devices, and data in motion using FIPS 140-2 certified services.
Similarly for HIPAA-compliant data destruction, either shred documents appropriately or destroy media in line with NIST 800-88, Guidelines for Media Sanitization.
These HIPAA encryption requirements are particularly interesting (if they make it onto the final version of the requirements), as Windows 2000 is not FIPS 140-2 certified (it is however FIPS 140-1 certified.) So, in order to be compliant with HITECH, all covered entities and business associates will either have to migrate off of any Windows 2000 servers that are still housing PHI, or start using an alternate validated product such as OpenSSL or Apache; this may end up being expensive in terms of license fees. Even if you go the open source route, it could require additional hardware and could result in a learning curve for your staff if they don't already have expertise with these products.
For more information:
- What does the future of the endpoint encryption market look like? Read more.
- Read more about the difference between AES and DES encryption.
This was first published in June 2009