HHS releases guidance on securing electronic health data

To expand the use of electronic health records (EHRs), the Health and Human Services Department (HHS) has issued guidance on technologies and methods to protect personal electronic health care data.

This 20-page guidance document released April 17 by HHS describes encryption and destruction as the means to protect personal health data by making the data “unusable, unreadable or indecipherable” to unauthorized individuals.

Entities that comply with the guidance will not be subjected to upcoming breach notification provisions for unsecured data. “The specified technologies and methodologies, if used, create the functional equivalent of a safe harbor,” the document states.

The guidelines were developed through a joint effort by the HHS Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Centers for Medicare and Medicaid Services.

This guidance is linked to two sets of breach notification regulations required by Congress as part of the economic stimulus law.

HHS will release a breach notification regulation for hospitals, physicians, health plans, health providers and other covered entities under the Health Insurance Portability and Accountability Act of 1996. The Federal Trade Commission will release another breach regulation for vendors of personal health records and other non-HIPAA-covered entities.

Entities that comply with the guidance will not be subject to the upcoming breach notification provisions for unsecured data.

The public is invited to comment on the guidance until May 21.