The National Institute for Standards and Technology [“NIST”] first became involved with HIPAA when it published “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 Revision 1)” in October 2008 to assist covered entities in complying with HIPAA’s security requirements. In its preamble to the Security Rule, the U.S. Department of Health and Human Services (“HHS”) cited several NIST publications as potentially valuable resources for readers with questions about IT security.
To date, the only specific requirement relating to the NIST Standards in the Security Rule does not require compliance with any NIST Standard but rather exempts covered entities from having to report breaches if they meet either of two NIST standards. The Security Breach Notification Rule requires reporting only breaches of “unsecured” protected health information (“PHI”). 45 C.F.R. §§ 164.400-414.
HHS considers PHI secured if it is rendered unusable, unreadable, or indecipherable to unauthorized individuals in one of the following methods:
- Electronic PHI (“EPHI”) has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 C.F.R. § 164.304, definition of encryption) and if such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data that they are used to encrypt or decrypt. The encryption processes identified below have been tested by NIST and judged to meet this standard.
- Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices.”
- Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, “Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations”; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs; or others that are Federal Information Processing Standards (“FIPS”) 140-2 validated.
- The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
- Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
- Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, “Guidelines for Media Sanitization,” such that the PHI cannot be retrieved.
Thus, more simply stated, breached data is secure and hence the breach need not be reported if it is encrypted or destroyed consistent with the NIST Standards, above, even though nothing in HIPAA requires encryption or specifies any particular method of destruction. Rather, encryption is “addressable”―that is, required only if demonstrated to be reasonable and appropriate by one’s risk analysis. Under the Access Control Standard, encryption/decryption is addressable, § 164.312(a)(2)(iv), and under the Transmission Security Standard, § 164.312(e)(2)(ii), it is likewise addressable. But as a practical matter, considering the reasonable cost of encryption contrasted against the cost of a breach, it will almost always be reasonable and appropriate and, hence, required as a practical, if not a legal, matter.
With the increasing number of cybersecurity breaches since HIPAA became law, DHHS recognized that more attention needed to be paid to improving cybersecurity, focused on the NIST Framework for Improving Critical Infrastructure Cybersecurity (often referred to as the “Cybersecurity Framework”), and developed a crosswalk between it and the HIPAA Security Rule. It provides a policy framework of computer security guidance for how private sector organizations in the U.S. can improve their ability to prevent, detect, and respond to cyberattacks. NIST published Version 1.0 in 201. In 2017, a draft version of the Cybersecurity Framework, version 1.1, was circulated for public comment. Version 1.1 was made publicly available on April 16, 2018. The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management, and guidance on how to interact with supply chain stakeholders. Find the Cybersecurity Framework at https://www.nist.gov/cyberframework.
Although not mandated by law, compliance with the relevant NIST standards would appear to make it almost impossible for anyone to challenge you on whether your security measures were reasonable and appropriate. Just make sure that you document in your written risk analysis your decision to comply with NIST standards and why. And update your risk analysis every year and every time that you make a major change in your practice, such as, especially in this case, procuring a new computer system.