Health Information Management

HITECH UPDATE: Check your current system against HHS draft guidance

HIM-HIPAA Insider, April 27, 2009

In case you missed it, HHS issued a proposal April 17 for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure PHI and prevent a breach.

The guidance includes the technologies and methods specified by the Secretary of HHS that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” The American Recovery and Reinvestment Act of 2009 (ARRA) required the draft guidance by Saturday, April 18, according to an HHS press release.

Covered entities and business associates are not required to follow the guidance. However, if they do, it creates a “safe harbor” and protects them from the notification requirements when a security breach occurs, according to the new HHS report.

Though not final yet, covered entities and business associates should pay close attention to the guidance because it will help determine whether their facility had a breach of patient privacy.

“Keep in mind, this is a new federal requirement which overlaps with security breach notification laws already on the books in almost every state, and personal information disposal laws on the books in many states," says John R. Christiansen, of Christiansen IT Law, in Seattle. "... We’re going to have to analyze state laws specifically to figure out if there are places where the state law is stronger. It probably isn’t worth doing a definitive analysis until the final guidance comes out.”

Most Popular