HITECH Act Breach Notification Guidance: What Renders PHI Unusable, Unreadable or Indecipherable For Purposes of Breach Notification?

On April 17, 2009, the U.S. Department of Health & Human Services (HHS) issued guidance on the technology requirements to render protected health information (PHI) “unusable, unreadable or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) which is a part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.

HHS’s press release on the guidance states:

The guidance issued today provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.
The guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare &Medicaid Services (CMS).

The guidance also seeks public comments on the guidance as well as the breach notification provisions under FTC’s new Health Breach Notification Rule and the yet to be releases HHS Breach Notification Requirements for HIPAA Covered Entities and Business Associates. Public comments must be submitted on or before May 21, 2009.