Problem solve Get help with specific problems with your technologies, process and projects.

HHS HIPAA guidance on encryption requirements and data destruction

Complying with HIPAA is only becoming more challenging. Fortunately, the Department of Health and Human Services has recently released some preliminary guidelines on how to deal with HIPAA's encryption requirements and data destruction.

In your recent tip on the updates to HIPAA, you mentioned that the secretary of the Department of Health and Human Services would publish guidance in April for the business partners of covered entities. Now that HHS has responded, what exactly are the key compliance guidelines for business partners? What must partners do to avoid being subject to the same civil and criminal penalties as covered entities?

To date, the Department of Health and Human Services (HHS) has published some preliminary guidance for encrypting or otherwise obfuscating Personal Health Information (PHI). This is due to requirements (c) and (h) of section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA).

This preliminary HHS HIPAA guidance (.pdf) relates to both electronic and paper records, and though it appears to be on the wordy side, most of the necessary information is at the end of page 16. In sum: encrypt data at rest in accordance with NIST 800-111, Guide to Storage Encryption Technologies for End User Devices, and data in motion using FIPS 140-2 certified services.

Similarly for HIPAA-compliant data destruction, either shred documents appropriately or destroy media in line with NIST 800-88, Guidelines for Media Sanitization.

These HIPAA encryption requirements are particularly interesting (if they make it onto the final version of the requirements), as Windows 2000 is not FIPS 140-2 certified (it is however FIPS 140-1 certified.) So, in order to be compliant with HITECH, all covered entities and business associates will either have to migrate off of any Windows 2000 servers that are still housing PHI, or start using an alternate validated product such as OpenSSL or Apache; this may end up being expensive in terms of license fees. Even if you go the open source route, it could require additional hardware and could result in a learning curve for your staff if they don't already have expertise with these products.

More on this topic



This was last published in June 2009

Dig Deeper on HIPAA