Health Information Management

REMINDER: Make your comments heard by HHS

HIM-HIPAA Insider, May 18, 2009

You have until May 21 to issue comments to HHS about the definition of unsecure PHI.

HHS issued a proposal for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure protected health information (PHI) and prevent a breach.

The guidance released April 17 includes the technologies and methods specified by the Secretary of HHS that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals." The American Recovery and Reinvestment Act of 2009 (ARRA) required the draft guidance by April 18, according to an HHS press release.

Covered entities and business associates are not required to follow the guidance. However, if they do, it creates a "safe harbor" and protects them from the notification requirements when a security breach occurs, according to the new HHS report.

Although the guidance is not final yet, covered entities and business associates should pay close attention to it because the guidance will help them determine whether their facility had a breach of patient privacy.

Title XIII of the ARRA—the Health Information Technology for Clinical and Economic Health (HITECH) Act—describes greater notification requirements for breaches of "unsecured PHI," or PHI that is not secured through technologies and methodologies specified by the Secretary.

The report released in April includes those specifications. After a public comment period, which ends May 21, HHS will release the final guidance by August 17, according to the ARRA.

Most Popular