HHS has issued guidance on protecting personally identifiable healthcare information by encrypting or destroying it so that it is rendered unusable, unreadable or indecipherable to unauthorized individuals.
The 20-page document and a news release were issued late Friday. The guidance was the work of a joint effort by HHS, its Office of the National Coordinator for Health Information Technology, its Office for Civil Rights and the CMS. The guidance was required by the American Recovery and Reinvestment Act, or stimulus package.
This guidance is linked to a pair of breach-notification regulations required under the stimulus legislation. One is to be issued by HHS, the other by the Federal Trade Commission. On Thursday, the FTC issued an interim rule and a request for comments covering breach notification by personal health-record vendors and other entities not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996. HHS is to issue its regulations for so-called covered entities providers, payers and claims clearinghousesand their business associates regulated under HIPAA. Both the HHS and FTC regulations are to be published in the Federal Register within 180 days of the Feb. 17 enactment of the stimulus package.
HHS also requests public comments on the proposed rulemaking. Comments must be submitted by May 21