Encryption HITECH Act Security Requirements

Encryption HITECH Act Security Requirements - With HITECH ACT encryption security technology moving forward, safeguarding of protected health information is crucial and has become a top priority for many regulators. Formerly, when a participating agency declares a HIPAA compliant system, they primarily refer to imposing measures and regulations only to keep patient medical records at the right place. However, with the new amendments provisioned in Health Information Technology for Economic and Clinical Health (HITECH) Act of the American Recovery and Reinvestment Act of 2009, medical practitioners and institutions are required to notify patients and concerned agencies during the occurrence of a breach in unsecured PHI. Failure to comply with the HITECH Act security breach notification requirements will subject a company to penalties.


The HITECH Act which took effect on September 30, 2009 mandates that medical institutions must provide added security features to their IT infrastructures and implement additional policies in order to reduce the unauthorized exposure of PHI, forcing companies and health care providers to strengthen their policies concerning the handling of PHI. More specifically, the Act includes the encryption and decryption of the information transferred to storage mediums used by patients such as backups, removable storage devices and the likes. Apart from the encryption, additional measures such as the retrieval and management of patient information are also enhanced to toughen the protection installed.

The Act describes what "unsecured protected health information" covers. Accordingly, unsecured protected health information can be patient information that does not undergo technological and methodological procedures of securing the content as specified by the Secretary of Department of Health and Human Services (HHS). Unsecured protected health information includes both physical and electronic information entrusted to covered entities.

Securing unsecured PHI makes the information unreadable, unusable, and undecipherable to individuals with no authority to use it. Through the use of specified encryption and decryption methods approved by the National Institute of Standards and Technology (NIST), information can now be considered secure. Technically, encryption can be done using 128 bit cipher algorithm. A breach on PHI can occur when someone unauthorized to access PHI takes possession of the information. Or, someone granted with the rights to access the information but divulges it freely to other entities without proper authority.

Encryption does not only cover records in the possession of patients through their preferred storage medium, but should include the process of transferring the information from one system to the other. By undergoing such procedures of securing PHI, covered entities or businesses are hereby free from the notification procedure in cases when encrypted PHIs are compromised.

In connection with the breach notification, covered entities are mandated to issue notification to affected individuals or participating agency only when the information is considered "unsecured". The Act provides guidelines to determine whether the information is considered unsecured. But despite having followed the procedures needed to transform an unsecured PHI into secured information, covered entities must at all times comply with the rules and regulations provided by their state concerning any breach on the PHI, thus, making them legally liable to answer any inquest in connection with the events.

The HITECH Act also takes into account the procedures on how affected individuals are to be notified. Covered entities may issue written notices or phone calls to affected individuals. However, if the breach compromises more than 500 individuals, other methods of notification such as posting on an HHS or the covered entity's web page are among the options.