Educause Security Discussion mailing list archives
Re: HITECH Breach Notifications - NIST Required or Safe Harbor?
From: Faith Mcgrath <faith.mcgrath () YALE EDU>
Date: Tue, 15 Sep 2009 17:59:51 -0400
It is my interpretation that the definition of encryption of PHI as defined in the 2005 HIPAA Security Rule is synonymous with definition of encryption in the 'Breach Notification for Unsecured Protected Health Information; Interim Final Rule' (based on text below). What the breach notification documentation has added by referencing the NIST SP 800-111 & 800-52 is simply to provide more detailed guidance -- and NIST provides a list of vendors who have implemented validated cryptographic modules tested and validated to FIPS 140-1 or FIPS 140-2 (http://csrc.nist.gov/groups/STM/cmvp/validation.html) -- meeting the standard as defined in the 2005 HIPAA Security Rule. Hope this helps. -faith
********************************************************************************************************************************(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’ and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. (i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices. (ii) Valid encryption processes for data in motion are those which comply,as appropriate, with NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated.
45 CFR Parts 160 and 164Breach Notification for Unsecured Protected Health Information; Interim Final Rule
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf Chris Kidd wrote:
A question about the HITECH encryption standard for the breach notification requirements: Do you view NIST/FIPS standards/certifications as a requirement to meet the HITECH encryption requirements or is NIST just a safe harbor, and other similar technological standards would also meet with the HITECH standards? Another way of asking the same question is whether compliance with the encryption standards in the HIPAA security rule equates with compliance under HITECH. We have looked at the guidance on this and it's hard to tell if NIST is the only relevant standard or just a safe harbor. Thanks, Chris Kidd Chris Kidd 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.587.9241 Cell: 801.747.9028 chris.kidd () utah edu http://www.secureit.utah.edu
-- Faith McGrath, Compliance Officer Yale University ITS - Information Security faith.mcgrath () yale edu voice: 203.737.4087 PGP public key: http://keys.yale.edu/ || ldap://keys.yale.edu security () yale edu || security.yale.edu Save a tree - please consider the environment before printing this email.Please be aware that email communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately and destroy this message. If you wish to confirm the content of this message and/or the identity of the sender please contact me at the phone number given above.
Current thread:
- HITECH Breach Notifications - NIST Required or Safe Harbor? Chris Kidd (Sep 15)
- <Possible follow-ups>
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? St Clair, Jim (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Doug Markiewicz (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Faith Mcgrath (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)