Re: HITECH Breach Notifications - NIST Required or Safe Harbor?

[Faith Mcgrath <faith.mcgrath () YALE EDU>]

It is my interpretation that the definition of encryption of PHI as 
defined in the 2005 HIPAA Security Rule is synonymous with definition of 
encryption in the  'Breach Notification for Unsecured Protected Health 
Information; Interim Final Rule' (based on  text below). What the breach 
notification documentation has added by referencing the NIST SP 800-111 
& 800-52 is simply to provide more detailed guidance --  and NIST 
provides a list of vendors who have implemented validated cryptographic 
modules tested and validated to FIPS 140-1 or FIPS 140-2 
(http://csrc.nist.gov/groups/STM/cmvp/validation.html) -- meeting the 
standard as defined in the 2005 HIPAA Security Rule. Hope this helps. -faith



********************************************************************************************************************************
(a) Electronic PHI has been encrypted as specified in the HIPAA Security 
Rule by ‘‘the use of an algorithmic process to transform data into a 
form in which there is a low probability of assigning meaning without 
use of a confidential process or key’’ and such confidential process or 
key that might enable decryption has not been breached. To avoid a 
breach of the confidential process or key, these decryption tools should 
be stored on a device or at a location separate from the data they are 
used to encrypt or decrypt. The encryption processes identified below 
have been tested by the National Institute of Standards and Technology 
(NIST) and judged to meet this standard.
	(i) Valid encryption processes for data at rest are consistent with 
NIST Special Publication 800–111, Guide to Storage Encryption 
Technologies for End User Devices.
	(ii) Valid encryption processes for data in motion are those which 
comply,as appropriate, with NIST Special Publications 800–52, Guidelines 
for the Selection and Use of Transport Layer Security (TLS) 
Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL 
VPNs, or others which are Federal Information Processing Standards 
(FIPS) 140–2 validated.

        45 CFR Parts 160 and 164
	Breach Notification for Unsecured Protected Health Information; Interim 
Final Rule
        http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf



Chris Kidd wrote:
> A question about the HITECH encryption standard for the breach notification requirements: Do you view NIST/FIPS 
> standards/certifications as a requirement to meet the HITECH encryption requirements or is NIST just a safe harbor, and 
> other similar technological standards would also meet with the HITECH standards?  Another way of asking the same question is 
> whether compliance with the encryption standards in the HIPAA security rule equates with compliance under HITECH.  We have 
> looked at the guidance on this and it's hard to tell if NIST is the only relevant standard or just a safe harbor.
>
> Thanks,
> Chris Kidd
>
>
>
> Chris Kidd
> 650 Komas Drive, Suite 102
> Salt Lake City, UT 84108
> Office: 801.587.9241
> Cell: 801.747.9028
> chris.kidd () utah edu
>
> http://www.secureit.utah.edu


--
Faith McGrath, Compliance Officer
Yale University ITS - Information Security
faith.mcgrath () yale edu
voice: 203.737.4087
PGP public key: http://keys.yale.edu/ || ldap://keys.yale.edu
security () yale edu || security.yale.edu

Save a tree - please consider the environment before printing this email.
Please be aware that email communication can be intercepted in 
transmission or misdirected. Please consider communicating any sensitive 
information by telephone, fax or mail. The information contained in this 
message may be privileged and confidential. If you are NOT the intended 
recipient, please notify the sender immediately and destroy this 
message. If you wish to confirm the content of this message and/or the 
identity of the sender please contact me at the phone number given above.