Security Hero Rotating Header Image

Unusable, Unreadable, or Indecipherable? No Breach reporting required, (Sat, May 9th)

Unusable, Unreadable, or Indecipherable? No Breach reporting required, (Sat, May 9th)

Recent HIPAA legislation promised guidance identifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR PARTS 160 and 164

Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009

**SNIPPETS**

B. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key15 and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

i) or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.18

b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.

ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization,19 such that the PHI cannot be retrieved.

17

Guide to Storage Encryption for End User Devices

18

FIPS 140-2

NIST Special Publications 800-52 – Guidelines for the Selection and Use of Transport Layer Security

Guide to IPsec VPNs

Guide to SSL VPNs

19

Guidelines for Media Sanitization

URL: http://isc.sans.org/diary.php?storyid=6364&rss

Leave a Reply

Your email address will not be published. Required fields are marked *