Guidance for Securing PHI Issued by HHS

Health Law Alert

Guidance for Securing PHI Issued by HHS
The Department of Health and Human Services has just issued guidance on the
technologies and methodologies for keeping protected health information (PHI) secure for
purposes of health breach notifications. The guidance identifies technologies and
methodologies for ensuring PHI is unusable, unreadable or indecipherable to unauthorized

The two accepted methods for securing electronic PHI from unauthorized access and use
are encryption and destruction. The successful use of encryption depends upon two key
features: (1) the strength of the encryption algorithm and (2) the security of the decryption key or
process. In order for destruction to be acceptable it must occur in one of two ways: (1) paper,
film or other hard copy media have been shredded or destroyed such that the PHI cannot be
read or otherwise reconstructed or (2) electronic media have been cleared, purged or destroyed
consistent with NIST Special Publication 800-88, Guidelines of Media Sanitation, so that the PHI
cannot be retrieved.

The HHS guidance marks the first of several HHS guidance and regulations relating to
the HIPAA security and privacy changes that were required under ARRA (American Recovery
and Reinvestment Act of 2009). Covered entities and their business associates should be
prepared to be in compliance with the specified encryption and destruction standards to ensure
that PHI is appropriately secured for purposes of the breach notification requirements. Although
the HHS guidance is voluntary, compliance with the standards permits covered entities and
business associates to disregard the burdensome notification requirements that will be set forth
under the interim final regulations.

Harrang Long Gary Rudnick P.C.

Our firm’s Health Law Alerts are intended to provide general information regarding recent changes and developments in the health law area. These publications do not constitute legal advice, and the reader should consult legal counsel to determine how this information may apply to any specific situation.

Uploaded April 1, 2017 (pdf, 52.9kb)