HHS HIPAA guidance on encryption requirements and data destruction

BROWSE BY TAG Security Management,   Security Audit, Compliance and Standards,   HIPAA,   Enterprise Data Protection,   Disk Encryption and File Encryption,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management How to prepare for a FERPA audit Why doesn't the CISSP cover information assurance and DIACAP? Data breach notification legislation: What info must be released? Risk management strategy for an information technology solution provider Are there guidelines to create a HIPAA-compliant data center? Writing a patient identifier policy to prevent common HIPAA violations How to write technology outsourcing contracts The requirements for being a PCI DSS-compliant service provider The requirements needed to make an external penetration test legal How to create configuration management plans to install DLP HIPAA Cost of security, IT management add up at healthcare facilities, study finds Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist Quiz: How to meet HIPAA compliance requirements HIPAA Research Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

To date, the Department of Health and Human Services (HHS) has published some preliminary guidance for encrypting or otherwise obfuscating Personal Health Information (PHI). This is due to requirements (c) and (h) of section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).

This preliminary HHS HIPAA guidance (.pdf) relates to both electronic and paper records, and though it appears to be on the wordy side, most of the necessary information is at the end of page 16. In sum: encrypt data at rest in accordance with NIST 800-111, Guide to Storage Encryption Technologies for End User Devices, and data in motion using FIPS 140-2 certified services.

Similarly for HIPAA-compliant data destruction, either shred documents appropriately or destroy media in line with NIST 800-88, Guidelines for Media Sanitization.

These HIPAA encryption requirements are particularly interesting (if they make it onto the final version of the requirements), as Windows 2000 is not FIPS 140-2 certified (it is however FIPS 140-1 certified.) So, in order to be compliant with HITECH, all covered entities and business associates will either have to migrate off of any Windows 2000 servers that are still housing PHI, or start using an alternate validated product such as OpenSSL or Apache; this may end up being expensive in terms of license fees. Even if you go the open source route, it could require additional hardware and could result in a learning curve for your staff if they don't already have expertise with these products.

For more information:

• What does the future of the endpoint encryption market look like? Read more.
• Read more about the difference between AES and DES encryption.