The passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the associated guidance from the Department of Health and Human Services (HHS) signals the first time a federal regulation addresses data breaches, specifically breaches involving unencrypted Protected Health Information (PHI). The data security sections of the HITECH Act were developed to require organizations that handle PHI to meet baseline criteria for protecting that data in motion, in use, at rest and when disposed.

A breach of unprotected data triggers disclosure requirements. A breach of encrypted data avoids those requirements; per an HHS press release, “Entities ... that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.”

Technology analysts are heralding HITECH as ground-breaking because it provides new clarity around data security and puts an unprecedented emphasis on encryption.

“Addressing health information as a data element that imposes breach notification obligations represents a sea change in the context of data breach laws.”

Privacy and Security Law Report, The Bureau of National Affairs

Like the Health Information Portability and Accountability Act (HIPAA), the HITECH Act covers health care providers, insurers, clearinghouses and also business associations that handle any PHI, as well as other personal information – name, Social Security number, address and insurance account numbers. Unlike HIPAA, HITECH requires public disclosure of any data breach of unencrypted PHI. What’s more, the notification requirement applies to all HIPAA-covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclosed unsecured PHI. By extending accountability from health care providers to their business associates, HITECH also means that many more organizations are subject to this new act.

Encryption Solutions from nuBridges Provide a Safe Harbor

Encryption of PHI data at rest and in transit provides a safe harbor that protects organizations from the costs and hassles associated with data breach notifications, and fines that can range from $100 to $1.5 million. nuBridges offers packaged software solutions that are ideal for NIST-compliant encryption of PHI at rest and in motion to help organizations meet the spirit and the letter of the HITECH Act.

Proven in production use, nuBridges technology also:

• Protects PII and billions of credit card transactions for some of the most recognized brand names in the world;

• Securely exchanges confidential business documents among thousands of business partners; and

• Safely automates the DEA-mandated controlled substance ordering process;

to name just a few use cases. nuBridges Protect™ is an encryption solution and nuBridges Exchange™ is a secure file transfer solution.

Learn More About the HITECH Act

Click here to access the August 2009 Interim Final Rule on Breach Notification for Unsecured Protected Health Information. See item II on the third page for encryption guidance.

Helpful Background Information

The higher purpose of the HITECH Act is to proactively utilize information technology to make healthcare delivery more efficient and more accurate. The primary goals of the act are to:

1. Establish standards that make electronic health records shareable and portable

2.  Establish a national network for providers to share electronic data

There are many opportunities that result from digitizing healthcare records (personal portability, valuable research data, performance measurements), and also many challenges. One of the most notable is information security.

While privacy protection has always been mandated under HIPAA, HITECH takes compliance to a new level – broadening the constituencies that must comply, providing clearer guidance on security requirements and turning up the heat on the consequences of a breach.

Entities subject to the act must notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach. Specifically:

• If a breach occurs and the data was unsecured, victims must be notified by first-class mail within 60 days of the breach (the clock starts ticking when the breach was discovered or when the entity should reasonably have been aware that it occurred) – that is a tight timeline (and the subject of some controversy).

• The media must be notified in the event of any data breach of unsecured PHI that involves more than 500 residents of a particular state or jurisdiction.

• If more than 500 residents are breached, additional notification requirements apply.

These regulations are in place to establish a baseline standard for data protection – avoiding the pain of breach notification achieves the desired result: Safer Personal Health Information.