HHS issued guidance on protecting personally identifiable healthcare information by encrypting or destroying it so that it is rendered “unusable, unreadable or indecipherable to unauthorized individuals.” The 20-page document was the work of a joint effort by HHS, its Office of the National Coordinator for Health Information Technology and Office for Civil Rights, and the CMS.
The guidance was required by the stimulus package and is linked to a pair of breach-notification regulations required under the legislation. One is to be issued by HHS, and the other by the Federal Trade Commission. Previously, the FTC issued an interim rule and a request for comments covering breach notification by personal health-record vendors and other entities not covered by the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
HHS also requests public comments on the proposed rulemaking due by May 21