mation went into effect September 23, 2009. Section 13402(h)
of the HITECH Act defines unsecured protected health infor-
mation as “protected health information that is not secured
through the use of a technology or methodology specified by
As required by HITECH, the HHS secretary specified encryp-
tion and destruction as technologies and methodologies that
render protected health information unusable, unreadable, or
indecipherable to unauthorized individuals such that breach
notification would not be required.
Furthermore, HITECH refers to the National Institute of Standards and Testing (NIST) as a source for encryption standards,
specifically the Federal Information Processing Standard 140-2.
FIPS 140-2 identifies requirements for specific encryption algorithms and modules that are tested and approved to protect information ranging in various levels of sensitivity. Healthcare organizations should look for IT products that state conformance
with FIPS 140-2.
Note: At press time, the interim final rule is still in effect. A final rule is expected later this year. Organizations are expected
to meet the requirements of the current interim rule as well as
the final rule, once the final rule is published and becomes effective.
Individual State Law
Individual states may have laws or regulations that require
health information to be protected against threats to security,
integrity, and unauthorized use. In some cases, state laws may
be more stringent than federal law, in which case a preemption
analysis must be applied.
For example, many states have laws with specific requirements and protections related to “high risk” records such as
mental health, HIV, and substance abuse/treatment records.
Legal counsel should be consulted for proper guidance in preemption decisions.
Medicare Conditions of Participation
The Medicare Conditions of Participation for healthcare facili-
ties also address information security and include the following
x Hospitals “must have a procedure for ensuring the confi-
dentiality of patient records. Information from or copies
of records may be released only to authorized individuals,
and the hospital must ensure that unauthorized individu-
als cannot gain access to or alter patient records.”
x Home health agencies must ensure “clinical record infor-
mation is safeguarded against loss or unauthorized use.”
x Residents of state and long-term care have “the right to
personal privacy and confidentiality of his or her personal
and clinical records.”
x Comprehensive outpatient rehabilitation facilities “must
safeguard clinical record information against loss, de-
struction, or unauthorized use.”
x A critical access hospital “maintains the confidentiality of
record information and provides safeguards against loss,
destruction, or unauthorized use.”
Privacy Act of 1974
The Privacy Act of 1974 mandates that federal information systems protect the confidentiality of individually identifiable data.
Section 5 U.S.C. 552a (e) ( 10) of the act states that federal systems must “establish appropriate administrative, technical, and
physical safeguards to ensure the security and confidentiality of
records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any
individual on whom information is maintained.”
Code of Federal Regulations Related to Alcohol and Drug Abuse
The Code of Federal Regulations relative to alcohol and drug
abuse, 42 CFR, chapter I, part 2, section 2. 1, states that records
of the identity, diagnosis, prognosis, or treatment of any patient
that are maintained in connection with the performance of any
drug abuse prevention function conducted, regulated, or directly or indirectly assisted by any department or agency of the
United States shall be confidential and disclosed only for the
purposes and under the circumstances expressly authorized.
The Joint Commission’s standards for hospital and ambulatory
care (IM.02.01.01 and IM 02.01.03) state the hospital “protects
the privacy” and “maintains the security and integrity” of health
Mobile Device Best Practices and Recommendations
Mobile devices present numerous management challenges
to the ePHI they carry and transmit. Some of the more critical
challenges include increased privacy and security risks to the
data and increased theft or loss of the device, which can lead to
breaches and unintentional harm to the patient.
However, such risks can be minimized by establishing appropriate controls and implementing the necessary measures for
optimal health information protections. It is also imperative
that organizational policies and procedures are clearly communicated and enforced for all workforce members to establish
expectations and convey accountability.
In terms of establishing appropriate controls and implementing necessary measures, healthcare organizations must, at a
minimum, establish written policies and procedures covering
the use of mobile devices that address the following issues:
Device ownership. If personal devices are permitted for business use, organizational policy must define the conditions that
must be met and how compliance will be verified. For example,
policies and procedures should consider the following in the
event personal devices will be allowed:
x Annual agreement and signing of the organization’s
“rules of behavior” (see below)
x Requirements for password protection