[Installment 4 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders]. This is the fourth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.
Over the next several months, my blog entries will continue to discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”) and protected health information (“PHI”). A major focus will be Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.
One of the issues facing Boards is the relatively risky and murky area of “securing” PHI under the HITECH Act. The HITECH Act directed the U.S. Department of Health and Human Services (“DHHS”) and the Federal Trade Commission (“FTC”) to issue regulations further detailing the required security breach notifications. Both departments have proposed such regulations and are seeking public comment. Final regulations are to be issued by the departments by August 17, 2009, as required by the HITECH Act.
DHHS has issued guidance on which technologies and methodologies can be used by hospitals to “secure” PHI. The outlined technologies render PHI unusable, unreadable or indecipherable to unauthorized individuals. A breach of secured PHI does not trigger HITECH security breach notification requirements. Following the guidance from DHHS will create the functional equivalent of a safeguard for hospitals and other providers and satisfy compliance with HITECH.
Encryption and Destruction of PHI under DHHS Guidelines
DHHS identifies two methods for rendering PHI “secured”: encryption and destruction. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data unless an individual uses a certain process or has a key. DHHS regulations state that the valid types of encryptions processes to use will be those that are consistent with National Institute of Standards and Technology (NIST) standards for encryption. NIST has published a Guide to Storage Encryption Technologies for End User Devices. It is available at http://www.nist.gov/index.html.
The second method, destruction, will also secure information found in paper or electronic format. The paper or other hard copy media must be shredded or destroyed in a manner that the PHI cannot be read or otherwise reconstructed. Electronic media is to be cleared, purged or destroyed. Destruction should also be performed consistent with NIST standards. NIST has published Guidelines for Media Sanitization. It is available at http://www.nist.gov/index.html.
Board Oversight Obligations to Secure PHI
In satisfying DHHS requirements for “securing” PHI, Boards must establish appropriate and effective safeguards and security measures so that the risk of failure to comply with destruction policies is minimized. The use of improper, careless or noncompliant techniques for encrypting or destroying PHI by a hospital carries with it a high risk of damage control expense, penalties for noncompliance, devastatingly adverse publicity and potential for liability for widespread liability to victims whose PHI has been compromised.
Boards of healthcare providers must devote sufficient resources that are supervised by competent personnel at a sufficiently high level in the corporate organization to secure PHI. The resources invested up front for orderly risk management are well worth the avoidance of the costs of damage control. Monitoring and feedback to the Board on the effectiveness of the efforts are a necessary follow-up.
When the final regulations on securing PHI are issued by DHHS and the FTC, this blog will address some of their principal points.
[To be continued in Installment 5]