Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The Office for Civil Rights (“OCR”), which enforces HIPAA’s Privacy and Security Rules, has stated publicly that it is carefully evaluating how to proceed with HIPAA enforcement.  For example, Section 13411 of the HITECH Act requires HHS to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations.  At the 18th Annual National HIPAA Summit in early February, Sue McAndrew, the OCR’s Deputy Director for Health Information Privacy, explained that there are “1,000 ways” to conduct HIPAA audits and that OCR is working with a HIPAA expert to “map out essentially the range of options” to determine how best to effectively conduct HIPAA audits.

Despite the delay in enforcement, covered entities and business associates should take necessary actions to comply with the HITECH Act’s requirements.  Please see our client alert on HITECH compliance for more information.

The interim final rule amends HIPAA’s enforcement regulations.  Specifically, the rule incorporates the HITECH Act’s categories of violations, tiered ranges of civil penalty amounts, and revised limitations on the Secretary of HHS’s authority to impose civil penalties for violations of HIPAA's rules.  Pursuant to the interim final rule, covered entities may be subject to tiers of penalties as described below:

• If a covered entity did not know and, by exercising reasonable diligence, would not have known that it was in violation, the minimum civil penalty is $100 per violation.
• If a violation was the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity (despite the exercise of ordinary business care and prudence) to comply, the minimum penalty is $1000 per violation.
• The minimum penalty for a violation that is the result of willful neglect and subsequently corrected is $10,000.
• The minimum penalty for a violation that is the result of willful neglect and is not corrected is $50,000.
• The maximum penalty amount for multiple violations is set at $1.5 million per calendar year.

HHS will be accepting comments on the interim final rule until December 29, 2009.  Read our earlier blog posting for further information regarding the HITECH Act.

Access a copy of the interim final rule.

Interestingly, the guidance specifies only two methods for securing PHI in a manner that would avoid the application of the HITECH Act’s breach notification provisions.  First, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if it has been encrypted, provided the encryption key has not also been breached.  In this regard, HHS has followed the lead of more than 45 state breach notification laws that likewise provide “safe harbors” for encrypted information.  HHS does, however, specify that encryption must comply with the HIPAA Security Rule’s provisions and further provides two specific examples of encryption that have been deemed to meet this standard: (1) for data at rest, encryption consistent with National Institute of Standards and Technology Special (NIST) Publication 800-111 and; (2) for data in transit, encryption that complies with Federal Information Processing Standard 140-2. 

Second, the guidance provides that PHI will be deemed unusable, unreadable or indecipherable if media on which it is stored or recorded has been destroyed by one of the following methods: (1) paper, film or other hard copy media have been shredded or destroyed such that PHI cannot be read or reconstructed; and (2) electronic media have been cleared, purged or destroyed consistent with NIST Special Publication 800-88 such that PHI cannot be retrieved. 

The guidance is clear that its recitation of information safeguards, though a proposal pending public comment, is intended to be exhaustive.  The guidance, developed jointly by the Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and Centers for Medicare and Medicaid Services, acknowledges that use of the technologies and methodologies described therein are not required but, if used, “create the functional equivalent of a safe harbor” with respect to the breach notification provision contained in the HITECH Act.  The guidance also notes that any other applicable requirements, such as mitigation requirements contained in the Privacy Rule and state breach notification laws, must be followed to the extent applicable, regardless of adherence to the guidance.

As above, this information security guidance relates to two sets of forthcoming breach notification regulations.  The first, applicable to covered entities and business associates, will be issued by HHS and the second, applicable to vendors of personal health records and certain other non-HIPAA covered entities, was issued by the Federal Trade Commission in proposed form on April 16.

Public comments on the HHS information security guidance are due by May 21, 2009.  HHS has specifically signaled interest in receiving comments regarding whether limited data sets of PHI should be considered, by definition, to render PHI unusable, unreadable or indecipherable such that the HITECH Act’s breach notification provisions would not apply. 

In addition to the guidance, HHS also issued a request for information soliciting public comment on the breach notification provisions of the HITECH Act to inform its future rulemaking and its annual updates to the guidance.  The guidance is available here  and both the guidance and the request for information are available here.