27 April 2009
[Federal Register: April 27, 2009 (Volume 74, Number 79)]
[Rules and Regulations]
[Page 19006-19010]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27ap09-11]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
45 CFR Parts 160 and 164
Guidance Specifying the Technologies and Methodologies That
Render Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals for Purposes of the Breach
Notification Requirements Under Section 13402 of Title XIII (Health
Information Technology for Economic and Clinical Health Act) of the
American Recovery and Reinvestment Act of 2009; Request for Information
AGENCY: Office of the Secretary, Department of Health and Human
Services.
ACTION: Guidance and Request for Information.
-----------------------------------------------------------------------
SUMMARY: This document is guidance and a request for comments under
section 13402 of the Health Information Technology for Economic and
Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of
Division B of the American Recovery and Reinvestment Act of 2009 (ARRA)
(Pub. L. 111-5). ARRA was enacted on February 17, 2009. The HITECH Act
(the Act) at section 13402 requires the Department of Health and Human
Services (HHS) to issue interim final regulations within 180 days of
enactment to require covered entities under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and their business
associates to provide for notification in the case of breaches of
unsecured protected health information. For purposes of these
requirements, section 13402(h) of the Act defines ``unsecured protected
health information'' to mean protected health information that is not
secured through the use of a technology or methodology specified by the
Secretary in guidance, and requires the Secretary to issue such
guidance no later than 60 days after enactment and to specify within
the technologies and methodologies that render protected health
information unusable, unreadable, or indecipherable to unauthorized
individuals. Through this document, HHS is issuing the required
guidance and seeking public comment both on the guidance as well as the
breach notification provisions of the Act generally to inform the
future rulemaking and updates to the guidance.
DATES: Comments must be submitted on or before May 21, 2009. The
guidance is applicable upon issuance, which occurred on April 17, 2009,
through posting on the HHS Web site at http://www.hhs.gov/ocr/privacy.
However, the guidance will apply to breaches 30 days after publication
of the forthcoming interim final regulations. If we determine that the
guidance should be modified based on public comments, we will issue
updated guidance prior to or concurrently with the regulations.
ADDRESSES: Written comments may be submitted through any of the methods
specified below. Please do not submit duplicate comments.
Federal eRulemaking Portal: You may submit electronic
comments at http://www.regulations.gov. Follow the instructions for
submitting electronic comments. Attachments should be in Microsoft
Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
Regular, Express, or Overnight Mail: You may mail written
comments (one original and two copies) to the following address only:
U.S. Department of Health and Human Services, Office for Civil Rights,
Attention: HITECH Breach Notification, Hubert H. Humphrey Building,
Room 509F, 200 Independence Avenue, SW., Washington, DC 20201.
Hand Delivery or Courier: If you prefer, you may deliver
(by hand or courier) your written comments (one original and two
copies) to the following address only: Office for Civil Rights,
Attention: HITECH Breach Notification, Hubert H. Humphrey Building,
Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. (Because
access to the interior of the Hubert H. Humphrey Building is not
readily available to persons without federal government identification,
commenters are encouraged to leave their comments in the mail drop
slots located in the main lobby of the building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at http://
www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
I. Background
The Health Information Technology for Economic and Clinical Health
(HITECH) Act was enacted on February 17, 2009, as Title XIII of
Division A and Title IV of Division B of the American Recovery and
Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5). Subtitle D of
[[Page 19007]]
the HITECH Act (the Act), entitled ``Privacy,'' among other provisions,
requires HHS to issue interim final regulations for breach notification
by entities subject to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and their business associates. In
particular, section 13402 of the Act requires HIPAA covered entities to
notify affected individuals, and requires business associates to notify
covered entities, following the discovery of a breach of unsecured
protected health information (PHI).\1\
---------------------------------------------------------------------------
\1\ Protected health information (PHI) is individually
identifiable health information transmitted or maintained by a
covered entity or its business associate in any form or medium. 45
CFR 160.103.
---------------------------------------------------------------------------
The Act at section 13402(h) defines ``unsecured protected health
information'' to mean PHI that is not secured through the use of a
technology or methodology specified by the Secretary in guidance.
Further, the Act provides that no later than 60 days after enactment,
the Secretary shall, after consultation with stakeholders, issue (and
annually update) guidance specifying the technologies and methodologies
that render PHI unusable, unreadable, or indecipherable to unauthorized
individuals.\2\ The Act also provides that in the case the Secretary
does not issue timely guidance, the term ``unsecured protected health
information'' shall mean ``protected health information that is not
secured by a technology standard that renders protected health
information unusable, unreadable, or indecipherable to unauthorized
individuals and is developed or endorsed by a standards developing
organization that is accredited by the American National Standards
Institute (ANSI).'' \3\
---------------------------------------------------------------------------
\2\ The Act provides that the technologies and methodologies
specified in the guidance also are to address the use of standards
developed under section 3002(b)(2)(B)(vi) of the Public Health
Service Act, as added by section 13101 of the Act. Section
3002(b)(2)(B)(vi) of the Public Health Service Act requires the HIT
Policy Committee established in section 3002 to issue
recommendations on the development of technologies that allow
individually identifiable health information to be rendered
unusable, unreadable, or indecipherable to unauthorized individuals
when such information is transmitted in the nationwide health
information network or physically transported outside of the secured
physical perimeter of a health care provider, health plan, or health
care clearinghouse. The Department intends to address such standards
as they are developed in future iterations of this guidance.
\3\ This provision becomes moot with the issuance of this
guidance.
---------------------------------------------------------------------------
If PHI is rendered unusable, unreadable, or indecipherable to
unauthorized individuals by one or more of the methods identified in
this guidance, then such information is not ``unsecured'' PHI. Thus,
because the breach notification requirements apply only to breaches of
unsecured PHI, this guidance provides the means by which covered
entities and their business associates are to determine whether a
breach has occurred to which the notification obligations under the Act
and its implementing regulations apply. Further, section 13407 of the
Act defines ``unsecured PHR identifiable information'' as personal
health record (PHR) identifiable health information that is not
protected through the use of a technology or methodology specified in
the Secretary's guidance. Thus, this guidance also is to be used to
specify the technologies and methodologies that render PHR identifiable
health information unusable, unreadable, or indecipherable to
unauthorized individuals for purposes of the temporary breach
notification requirements that apply to vendors of PHRs and certain
other entities (that are not otherwise HIPAA covered entities) under
section 13407 of the Act. Section 13407 is to be administered by the
Federal Trade Commission (FTC) and requires the FTC to promulgate
regulations within 180 days of enactment.
The breach notification provisions of section 13402 apply to HIPAA
covered entities and their business associates that access, maintain,
retain, modify, record, store, destroy, or otherwise hold, use, or
disclose unsecured PHI (sections 13402(a) and (b)). For purposes of
these provisions, ``breach'' is defined in the Act as ``the
unauthorized acquisition, access, use, or disclosure of protected
health information which compromises the security or privacy of such
information, except where an unauthorized person to whom such
information is disclosed would not reasonably have been able to retain
such information.'' The Act includes exceptions to this definition for
cases in which: (1) The unauthorized acquisition, access, or use of PHI
is unintentional and made by an employee or individual acting under
authority of a covered entity or business associate if such
acquisition, access, or use was made in good faith and within the
course and scope of the employment or other professional relationship
with the covered entity or business associate, and such information is
not further acquired, accessed, used, or disclosed; or (2) where an
inadvertent disclosure occurs by an individual who is authorized to
access PHI at a facility operated by a covered entity or business
associate to another similarly situated individual at the same
facility, as long as the PHI is not further acquired, accessed, used,
or disclosed without authorization (section 13400, definition of
``breach'').
Following the discovery of a breach of unsecured PHI, a covered
entity must notify each individual whose unsecured PHI has been, or is
reasonably believed to have been, inappropriately accessed, acquired,
or disclosed in the breach (section 13402(a)). Additionally, following
the discovery of a breach by a business associate, the business
associate must notify the covered entity of the breach and identify for
the covered entity the individuals whose unsecured PHI has been, or is
reasonably believed to have been, breached (section 13402(b)). The Act
requires the notifications to be made without unreasonable delay but in
no case later than 60 calendar days after discovery of the breach,
except that section 13402(g) requires a delay of notification where a
law enforcement official determines that a notification would impede a
criminal investigation or cause damage to national security.
The Act specifies the following methods of notice in section
13402(e):
Written notice to the individual (or next of kin if the
individual is deceased) at the last known address of the individual (or
next of kin) by first-class mail (or by electronic mail if specified by
the individual).
In the case in which there is insufficient or out-of-date
contact information, substitute notice, including, in the case of 10 or
more individuals for which there is insufficient contact information,
conspicuous posting (for a period determined by the Secretary) on the
home page of the Web site of the covered entity or notice in major
print or broadcast media.
In cases that the entity deems urgent based on the
possibility of imminent misuse of the unsecured PHI, notice by
telephone or other method is permitted in addition to the above
methods.
Notice to prominent media outlets within the State or
jurisdiction if a breach of unsecured PHI affects or is reasonably
believed to affect more than 500 residents of that State or
jurisdiction.
Notice to the Secretary by covered entities immediately
for breaches involving more than 500 individuals and annually for all
other breaches.
Posting by the Secretary on an HHS Web site of a list that
identifies each covered entity involved in a breach in which the
unsecured PHI of more than 500 individuals is acquired or disclosed.
[[Page 19008]]
Section 13402(f) of the Act requires the notification of a breach
to include (1) a brief description of what happened, including the date
of the breach and the date of the discovery of the breach, if known;
(2) a description of the types of unsecured PHI that were involved in
the breach (such as full name, Social Security number, date of birth,
home address, account number, or disability code); (3) the steps
individuals should take to protect themselves from potential harm
resulting from the breach; (4) a brief description of what the covered
entity involved is doing to investigate the breach, to mitigate losses,
and to protect against any further breaches; and (5) contact procedures
for individuals to ask questions or learn additional information, which
shall include a toll-free telephone number, an e-mail address, Web
site, or postal address. Finally, section 13402(i) requires the
Secretary to annually prepare and submit to Congress a report regarding
the breaches for which the Secretary was notified.
The Department's interim final regulations will become effective 30
days after publication and will apply to breaches of unsecured PHI
thereafter.
II. Guidance Specifying the Technologies and Methodologies That Render
Protected Health Information Unusable, Unreadable, or Indecipherable to
Unauthorized Individuals
Please note that this guidance does not address the use of de-
identified information as a method to render protected health
information (PHI) unusable, unreadable, or indecipherable to
unauthorized individuals because once PHI has been de-identified in
accordance with the HIPAA Privacy Rule,\4\ it is no longer PHI and,
therefore, no longer subject to the HIPAA Privacy and Security
Rules.\5\ However, nothing in this guidance should be construed as
discouraging covered entities and business associates from using de-
identified information to the maximum extent practicable.
---------------------------------------------------------------------------
\4\ De-identified health information neither identifies nor
provides a reasonable basis to identify an individual. The HIPAA
Privacy Rule provides two ways to de-identify information: (1) A
formal determination by a qualified statistician; or (2) the removal
of 18 specified identifiers of the individual and of the
individual's relatives, household members, and employers, and the
covered entity has no actual knowledge that the remaining
information could be used to identify the individual. 45 CFR
164.514(b).
\5\ 45 CFR Parts 160 and Subparts A, C, and E of Part 164.
---------------------------------------------------------------------------
A. Background
This guidance identifies the technologies and methodologies that
can be used to render PHI (as defined in 45 CFR 160.103) unusable,
unreadable, or indecipherable to unauthorized individuals. It should be
used by covered entities and their business associates to determine
whether ``unsecured protected health information'' has been breached,
thereby triggering the notification requirements specified in section
13402 of the Act and its forthcoming implementing regulations.
This guidance is not intended to instruct covered entities and
business associates on how to prevent breaches of PHI. The HIPAA
Privacy and Security Rules, which are much broader in scope and
different in purpose than this guidance, are intended, in part, to
prevent or reduce the likelihood of breaches of PHI. Covered entities
must comply with the requirements of the HIPAA Privacy and Security
Rules by conducting risk analyses and implementing physical,
administrative, and technical safeguards that each covered entity
determines are reasonable and appropriate. Covered entities and
business associates seeking additional information also may want to
refer to the National Institute of Standards and Technology (NIST)
Special Publication 800-66-Revision 1, ``An Introductory Resource Guide
for Implementing the HIPAA Security Rule.'' \6\
---------------------------------------------------------------------------
\6\ Available at http://www.csrc.nist.gov/.
---------------------------------------------------------------------------
This guidance is intended to describe the technologies and
methodologies that can be used to render PHI unusable, unreadable, or
indecipherable to unauthorized individuals. While covered entities and
business associates are not required to follow the guidance, the
specified technologies and methodologies, if used, create the
functional equivalent of a safe harbor, and thus, result in covered
entities and business associates not being required to provide the
notification otherwise required by section 13402 in the event of a
breach. However, while adherence to this guidance may result in covered
entities and business associates not being required to provide the
notifications in the event of a breach, covered entities and business
associates still must comply with all other federal and state statutory
and regulatory obligations that may apply following a breach of PHI,
such as state breach notification requirements, if applicable, as well
as the obligation on covered entities at 45 CFR 164.530(f) of the HIPAA
Privacy Rule to mitigate, to the extent practicable, any harmful effect
that is known to the covered entity as a result of a breach of PHI by
the covered entity or business associate.
In accordance with the requirements of this Act, we are issuing
this guidance after consultation with stakeholders. Specifically, we
consulted with external experts in health informatics and security,
including representatives from several Federal agencies. In issuing
this guidance, HHS is soliciting additional public input on the
guidance, including whether there are other specific types of
technologies and methodologies that should be included in future
updates to the guidance if appropriate. This guidance may be modified
based on public feedback and updated guidance may be issued prior to or
concurrently with the interim final regulations.
The term ``unsecured protected health information'' includes PHI in
any form that is not secured through the use of a technology or
methodology specified in this guidance. This guidance, however,
addresses methods for rendering PHI in paper or electronic form
unusable, unreadable, or indecipherable to unauthorized individuals.
Data comprising PHI can be vulnerable to a breach in any of the
commonly recognized data states: ``data in motion'' (i.e., data that is
moving through a network, including wireless transmission \7\); ``data
at rest'' (i.e., data that resides in databases, file systems, and
other structured storage methods \8\); ``data in use'' (i.e., data in
the process of being created, retrieved, updated, or deleted \9\); or
``data disposed'' (e.g., discarded paper records or recycled electronic
media). PHI in each of these data states (with the possible exception
of ``data in use'' \10\) may be secured using one or more methods. In
consultation with information security experts at NIST, we have
identified two methods for rendering PHI unusable, unreadable, or
indecipherable to unauthorized individuals: encryption and destruction.
Both of these methods are discussed below.
---------------------------------------------------------------------------
\7\ Preventing Data Leakage Safeguards Technical Assistance,
Internal Revenue Service, http://www.irs.gov/businesses/small/
article/0,,id=201295,00.html.
\8\ Kanagasingham, P. Data Loss Prevention, SANS Institute,
2008.
\9\ Sometimes referred to as ``data at the endpoints.''
\10\ We solicit comments on methods to protect data in use. See
Section III.A.1.
---------------------------------------------------------------------------
Encryption is one method of rendering electronic PHI unusable,
unreadable, or indecipherable to unauthorized persons. The successful
use of encryption depends upon two
[[Page 19009]]
main features: The strength of the encryption algorithm and the
security of the decryption key or process. The specification of
encryption methods in this guidance includes the condition that the
processes or keys that might enable decryption have not been breached.
This guidance also addresses the destruction of PHI both in paper
and electronic form as a method for rendering such information
unusable, unreadable, or indecipherable to unauthorized individuals. If
PHI is destroyed prior to disposal in accordance with this guidance, no
breach notification is required following access to the disposed hard
copy or electronic media by unauthorized persons.
Note that the technologies and methodologies referenced below in
Section B are intended to be exhaustive and not merely illustrative.
Solicitation of Public Comment on Additional Technologies and
Methodologies
Because we intend this guidance to be an exhaustive list of the
technologies and methodologies that can be used to render PHI unusable,
unreadable, or indecipherable to unauthorized individuals, we are
soliciting public comment on whether there are additional technologies
and methodologies the Department should consider adding to this
exclusive list in future iterations of this guidance.\11\
---------------------------------------------------------------------------
\11\ See Section III.A.3.
---------------------------------------------------------------------------
In particular, in the development of this guidance, the Department
considered whether PHI in limited data set form should be treated as
unusable, unreadable, or indecipherable to unauthorized individuals for
purposes of breach notification, and thus, included in this guidance. A
limited data set is PHI from which the 16 direct identifiers listed at
45 CFR 164.514(e)(2) of the HIPAA Privacy Rule, including an
individual's name, address, Social Security number, and account number,
have been removed. Although a limited data set requires the removal of
direct identifiers, the information is not completely de-identified
pursuant to 45 CFR 164.514(b) of the HIPAA Privacy Rule. Due to the
risk of re-identification of a limited data set, the HIPAA Privacy Rule
treats information in a limited data set as PHI, which must be
protected and only used or disclosed as permitted by the HIPAA Privacy
Rule. However, although the HIPAA Privacy Rule treats information in a
limited data set as PHI, the Rule does make distinctions in terms of
its requirements between PHI in a limited data set and PHI that
contains direct identifiers. First, the HIPAA Privacy Rule permits
covered entities to use or disclose PHI in a limited data set in
certain circumstances where fully-identifiable PHI is not permitted,
such as for research purposes where no individual authorization or an
Institutional Review Board waiver of authorization is obtained. See 45
CFR 164.502(a)(1)(vi) and 164.514(e). In these situations, to attempt
to control the risk of re-identification of PHI in a limited data set,
the HIPAA Privacy Rule requires a data use agreement to be in place
between the covered entity and the recipient of the limited data set
obligating the recipient to not re-identify the information or contact
the individuals (45 CFR 164.514(e)(4)). Second, the HIPAA Privacy Rule
further distinguishes between PHI in a limited data set and fully-
identifiable PHI by excluding disclosures of PHI in limited data set
form from the accounting of disclosures requirement at 45 CFR
164.528(a)(1)(viii).
In determining whether PHI in limited data set form should be
treated as unusable, unreadable, or indecipherable to unauthorized
individuals for purposes of breach notification, we considered the
following in support of including the creation of a limited data set in
this guidance: (1) Doing so would better align this guidance and the
forthcoming federal regulations with state breach notification laws,
which, as a general matter, only address the compromise of direct
identifiers; and (2) there may be administrative and legal difficulties
covered entities face in notifying individuals of a breach of a limited
data set in light of limited contact information and requirements in
data use agreements.
On the other hand, because PHI in limited data set form is not
completely de-identified, the risk of re-identification is a
consideration in determining whether it should be treated as unusable,
unreadable, or indecipherable to unauthorized individuals for purposes
of breach notification, and thus, included in this guidance as an
acceptable methodology. Therefore, the Department is interested in
receiving public comments on whether the risk of re-identification of a
limited data set warrants its exclusion from the list of technologies
and methodologies that render PHI unusable, unreadable, or
indecipherable to unauthorized individuals.
For those that believe the risk of re-identification of a limited
data set warrants exclusion, we also request comment on whether
concerns would be alleviated if we required, for purposes of inclusion
in the guidance, the removal of certain of the remaining indirect
identifiers in the limited data set. For example, some research
suggests that a significant percentage of the U.S. population can be
identified with just three key pieces of information, along with other
publicly available data: gender, birth date (month/day/year), and 5-
digit zip code.\12\ Would the removal of one further piece of
information from the limited data set--either the month and day of
birth (but not the year of birth) or the last 3 digits of a 5-digit zip
code (in addition to the elements listed in the HIPAA Privacy Rule at
45 CFR 164.514(e)(2) for creation of limited data sets)--sufficiently
reduce the risk of re-identification such that this modified data set
could be added to this guidance? \13\ Research suggests that doing so
could significantly reduce the risk of re-identification.\14\
---------------------------------------------------------------------------
\12\ Golle P. (2006). Revisiting the Uniqueness of Simple
Demographics in the US Population. Available at http://
crypto.stanford.edu/pgolle/papers/census.pdf.
\13\ See Section III.A.5.
\14\ Golle P. (2006). Revisiting the Uniqueness of Simple
Demographics in the US Population. Available at http://
crypto.stanford.edu/pgolle/papers/census.pdf.
---------------------------------------------------------------------------
B. Guidance Specifying the Technologies and Methodologies That Render
Protected Health Information Unusable, Unreadable, or Indecipherable to
Unauthorized Individuals
Protected health information (PHI) is rendered unusable,
unreadable, or indecipherable to unauthorized individuals only if one
or more of the following applies:
(a) Electronic PHI has been encrypted as specified in the HIPAA
Security Rule by ``the use of an algorithmic process to transform data
into a form in which there is a low probability of assigning meaning
without use of a confidential process or key'' \15\ and such
confidential process or key that might enable decryption has not been
breached. Encryption processes identified below have been tested by the
National Institute of Standards and Technology (NIST) and judged to
meet this standard.\16\
---------------------------------------------------------------------------
\15\ 45 CFR 164.304, definition of ``encryption.''
\16\ The NIST Computer Security Division's mission is to provide
standards and technology to protect information systems against
threats to the confidentiality of information, integrity of
information and processes, and availability of information and
services in order to build trust and confidence in Information
Technology (IT) systems. The NIST standards are the standards the
Federal government uses to protect its information systems.
---------------------------------------------------------------------------
(i) Valid encryption processes for data at rest are consistent with
NIST Special
[[Page 19010]]
Publication 800-111, Guide to Storage Encryption Technologies for End
User Devices.\17\
---------------------------------------------------------------------------
\17\ Available at http://www.csrc.nist.gov/.
---------------------------------------------------------------------------
(ii) Valid encryption processes for data in motion are those that
comply with the requirements of Federal Information Processing
Standards (FIPS) 140-2. These include, as appropriate, standards
described in NIST Special Publications 800-52, Guidelines for the
Selection and Use of Transport Layer Security (TLS) Implementations;
800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may
include others which are FIPS 140-2 validated.\18\
---------------------------------------------------------------------------
\18\ Available at http://www.csrc.nist.gov/.
---------------------------------------------------------------------------
(b) The media on which the PHI is stored or recorded has been
destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or
destroyed such that the PHI cannot be read or otherwise cannot be
reconstructed.
(ii) Electronic media have been cleared, purged, or destroyed
consistent with NIST Special Publication 800-88, Guidelines for Media
Sanitization,\19\ such that the PHI cannot be retrieved.
---------------------------------------------------------------------------
\19\ Available at http://www.csrc.nist.gov/.
---------------------------------------------------------------------------
III. Solicitation of Comments
A. Guidance Specifying the Technologies and Methodologies That Render
Protected Health Information Unusable, Unreadable, or Indecipherable to
Unauthorized Individuals
The Department is seeking comments on its guidance regarding the
technologies and methodologies that render PHI unusable, unreadable, or
indecipherable to unauthorized individuals for purposes of section
13402(h)(2) of the Act. In particular, the Department is interested in
receiving comments on the following:
1. Are there particular electronic media configurations that may
render PHI unusable, unreadable, or indecipherable to unauthorized
individuals, such as a fingerprint protected Universal Serial Bus (USB)
drive, which are not sufficiently covered by the above and to which
guidance should be specifically addressed?
2. With respect to paper PHI, are there additional methods the
Department should consider for rendering the information unusable,
unreadable, or indecipherable to unauthorized individuals?
3. Are there other methods generally the Department should consider
for rendering PHI unusable, unreadable, or indecipherable to
unauthorized individuals?
4. Are there circumstances under which the methods discussed above
would fail to render information unusable, unreadable, or
indecipherable to unauthorized individuals?
5. Does the risk of re-identification of a limited data set warrant
its exclusion from the list of technologies and methodologies that
render PHI unusable, unreadable, or indecipherable to unauthorized
individuals? Can risk of re-identification be alleviated such that the
creation of a limited data set could be added to this guidance?
6. In the event of a breach of protected health information in
limited data set form, are there any administrative or legal concerns
about the ability to comply with the breach notification requirements?
7. Should future guidance specify which off-the-shelf products, if
any, meet the encryption standards identified in this guidance?
B. Breach Notification Provisions Generally
In addition to public comment on the guidance, the Department also
requests comments concerning any other areas or issues pertinent to the
development of its interim final regulations for breach notification.
In particular, the Department is interested in comment in the following
areas:
1. Based on experience in complying with state breach notification
laws, are there any potential areas of conflict or other issues the
Department should consider in promulgating the federal breach
notification requirements?
2. Given current obligations under state breach notification laws,
do covered entities or business associates anticipate having to send
multiple notices to an individual upon discovery of a single breach?
Are there circumstances in which the required federal notice would not
also satisfy any notice obligations under the state law?
3. Considering the methodologies discussed in the guidance, are
there any circumstances in which a covered entity or business associate
would still be required to notify individuals under state laws of a
breach of information that has been rendered secured based on federal
requirements?
4. The Act's definition of ``breach'' provides for a variety of
exceptions. To what particular types of circumstances do entities
anticipate these exceptions applying?
Dated: April 22, 2009.
Charles E. Johnson,
Acting Secretary.
[FR Doc. E9-9512 Filed 4-22-09; 4:15 pm]
BILLING CODE 4150-03-P
|