Get to know encryption, destruction of documents
HIPAA Weekly Advisor, September 7, 2009
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
HHS added encryption layers to the interim final rule on breach notification to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in the draft guidance released in April. This guidance will be updated annually.
In the interim final rule, the definitions for acceptable encryption include the following:
- Electronic PHI encrypted as specified in the HIPAA Security Rule. This includes "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
- Valid encryption processes for PHI in databases consistent with National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
- Valid encryption processes for PHI flowing through a network, including wireless, that comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; 800-113, Guide to SSL VPNs; and others validated by Federal Information Processing Standards (FIPS) 140-2.
The definitions for acceptable destruction include the following:
- Paper, film, or other hard copy media shredded or destroyed so PHI cannot be read or reconstructed. Redaction is specifically excluded as a means of data destruction.
- Electronic media cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization.
Comments on the provisions of this interim final rule are due on or before October 23, 2009.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- Identify potential Medicaid RAC target areas
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- CHANGES COMING: Key differences in nationwide rollout
- Searched