Breach of Unsecured PHI
Another change to HIPAA made by the HITECH Act was the addition of new breach notification provisions requiring covered entities and business associates to notify affected individuals about breaches of unsecured PHI that compromise the privacy or security of the PHI. Covered entities must also provide notice of the breach to the Secretary of HHS and in certain circumstances, to the media. Business associates, however, are only required to notify covered entities within 60 days of any breaches. HHS issued an Interim Final Rule implementing these changes in August 2009.114
Encryption is not necessarily required under the Privacy Rule or the Security Rule; rather it is one of many forms suggested as a means to adequately protect PHI. For Security Rule purposes, whether encryption is the proper technology to protect a covered entity’s PHI depends on the entity’s security needs. However, for a covered entity to ensure that it is not subject to the new notice provisions under the Privacy Rule, it must encrypt its PHI.115 PHI can also be secured by destroying it. Hard copy PHI, such as paper or film, must be destroyed or shredded such that it cannot be read or reconstructed. Electronic PHI, however, must be destroyed in accordance with specific government guidelines.116
Footnotes
- 114. Breach Notification for Unsecured Protected Health Information, 74 Fed. Reg. 42,740 (August 24, 2009) (to be codified at 45 C.F.R. pt. 160 and 164), available at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf.
- 115. Breach Notification for Unsecured Protected Health Information, 74 Fed. Reg. at 42,742.
- 116. Nat’l Inst. of Standards & Tech., U.S. Dep’t of Commerce, NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices (2007), available at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf.
.png)