“Securing” Protected Health Information (“PHI”) allows medical laboratories to avoid HITECH breach notification requirements
As of February 22, 2010, clinical laboratories, pathology groups, and other health providers have new breach notification requirements relating to protected health information (PHI). This is mandated in the legislation known as the HITECH ACT.
Dark Daily reported extensively on the breach notification requirements imposed by the HITECH ACT. Under the breach notification requirements a covered entity—such as a clinical laboratory or pathology group—is obligated to notify patients and the Department of Health & Human Services (HHS) of the breach. In some cases, the entity must also notify the media.
While most medical laboratories and pathology practices are probably familiar with the new breach notification requirements, they may not be aware that there is an exception to the breach notification requirements for “secured” PHI.
As a supplement to the HITECH ACT compliance recommendations The Dark Report brought you in late 2009, attorney Elizabeth Sullivan of McDonald Hopkins, LLC explains that entities can avoid the new breach notification requirements, but only if they take advantage of the exception that exists for “secured” PHI. The enforcement date for the breach notification requirements was February 22, 2010.
“It is important to note that the breach notification requirements only apply to ‘unsecured’ PHI,” Sullivan said. “‘Unsecured’ PHI is defined as protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS. If an entity has taken the appropriate steps to secure the PHI, it is not subject to the breach notification requirements.”
While the exception is limited, it is noteworthy because it means that a covered entity—such as a clinical laboratory or pathology group—has the opportunity to avoid the breach notification process altogether. “It also means that the entity’s method of protecting PHI meets a higher standard of security,” she added, noting that, despite the complexity of the HITECH legislation, the distinction between “secured” and “unsecured” is relatively simple.
“It may sound odd to use the terms ‘secured’ and ‘unsecured’ because it leads you to believe some entities are not protecting their PHI,” Sullivan observed. “In both cases, the necessary steps are taken to protect the PHI; however ‘secured’ PHI is protected through the use of a technology or methodology specified by the Secretary of HHS (http://www.hhs.gov).
“HHS has specified two methods by which PHI can be ‘secured’. PHI can be ‘secured’ through encryption or destruction,” she explained. “There are very specific encryption requirements for ‘secured’ PHI. Encryption requires ‘the use of an algorithmic process to transfer data into a form in which there is a low probability of assigning meaning without use of a confidential process of key.’ The decryption process or key must be stored on a device or in a location that is separate from the encrypted information. HHS’ guidance on encryption was published in the August 24, 2009, Federal Register (74 Fed. Reg. 42740 et seq) and references standards set forth by the National Institute of Standards and Technology (NIST). Destruction is the only method to secure paper PHI. Redacted PHI, for instance, does not qualify as ‘secured’ PHI.
“To illustrate the distinction between ‘secured’ and ‘unsecured’ PHI, imagine a laboratory’s laptop is stolen,” continued Sullivan. “If the laptop contains only ‘secured’ PHI, and the decryption key has not been compromised, the breach is not subject to the breach notification requirements. If the laptop contains ‘unsecured’ PHI, the laboratory will be required to take steps to comply with the breach notification requirements.”
Sullivan noted that laboratories should weigh the benefit of avoiding the breach notification requirements against the cost of properly encrypting PHI. “Not all breaches of unsecured PHI will result in notification to the public. Each time a breach of unsecured PHI takes place, the laboratory can conduct a risk assessment to determine whether a notification is necessary.” Although a laboratory may ultimately avoid public notification when a breach of PHI occurs, the risk assessment may be costly and complex. If an entity is forced to conduct repeated risk assessments, investing the time and resources to “secure” PHI may be a cost effective alternative.
While the enactment of the HITECH legislation created the new breach notification requirements for entities handling PHI, ‘secured’ PHI provides a safe harbor that allows laboratories to avoid the breach notification requirements. “Entities—including clinical laboratories and pathology practices—should consider using the encryption standards, not only to ‘secure’ PHI and avoid the breach notification requirements, but also to improve the general security of the PHI,” concluded Sullivan.