[ Friday, April 17, 2009 ]
HHS issues guidance on what makes PHI "unsecured" for new data breach rules: This
is hot off the presses
, and I haven't had time to read it yet, but a quick scan leads me to believe that my original impression was correct: you've got to encrypt for ePHI to be "secured."
UPDATE: well, actually, there's another technology/methodology that will make the PHI "secured": destruction. So, you've got to encrypt or destroy. That's all there is. If you have paper data and it isn't destroyed, you can't be sure it's not "unsecured," regardless of how tightly you have it locked down. If you have electronic PHI that isn't encrypted because you're using it, it is "unsecured" and any data loss, regardless of how unforseeable, requires public disclosure on your part. This is not helpful.
HHS is seeking comments on this guidance. I'd encourage you to send in comments. Particularly with regard to usual operations, such as data "in use" that isn't encrypted but is protected by access controls and physical protections like locked doors. Locked file cabinets should be a sufficient "methodology" for securing paper records. Password-protected or zipped files, coupled with good physical security, should be a sufficient technology/methodology combo.
This isn't a good start. We obviously need a secretary at HHS.
UPDATE II: I started to say, "I'm not the only one with this analysis." But I realized that Dom's article was written Friday, obviously before the HHS "guidance" came out. Still, I don't think much of this guidance, I've got to say. . . .
UPDATE III: If you subscribe to BNA, here is their post.
Jeff [4:24 PM]
Blogger: HIPAA Blog - Edit your Template