Final PHI Protection Rule Won't Mandate Encryption

Register now

The omnibus federal final rule that will cover changes to the HIPAA privacy, security, breach notification and enforcement rules will not include a mandate for encryption of protected health information, confirms Susan McAndrew, deputy director for health information privacy in the Department of Health and Human Services' Office for Civil Rights.

Asked in an e-mail interview with Health Data Management if some type of encryption mandate would be in the final rule, McAndrew noted that none of the earlier proposals called for a regulatory change to the existing security rule on encryption. Consequently, additional rulemaking would be necessary to mandate encryption, and such a mandate won't be in the omnibus final rule. "If the requirement for encryption changes from an addressable implementation specification to a required implementation specification under the security rule, then normal notice and comment rulemaking processes would need to follow," she said.

McAndrew wasn't as clear when asked if the breach notification "harm threshold," which enables an organization to not provide notification of a breach if it determines no consequential harm has or will result, will be eliminated in the final rule.

"OCR received public comment on the interim final breach notification rules both for and against how the rule defined incidents that qualified as breaches requiring individual notification," she noted. "These comments will be carefully reviewed and OCR will respond to them in the final rule."

McAndrew's answers to other questions broke no new ground:

Q: What are the reasons for the delay in the final privacy/security/breach/enforcement rules and the expected release?

A: OCR is working to address the concerns raised during the public comment periods on the proposed rules and is ensuring that the new regulatory requirements operate as intended.  To minimize the transitional burden on covered entities OCR is also issuing a single final rulemaking that combines four separate dockets issued during 2009 and 2010.  While there is no definite date, OCR expects to publish the rule in the coming months.

Q: What are the toughest issues being worked out?

A: Changes to HIPAA under the HITECH Act presents challenges to privacy and security protections for patient information.  The impacts of the new breach notification requirements are already evident--not only in terms of public perception of those entities that are reporting breaches--but also in the behavior of covered entities.  The increased penalties for failure to comply with the HIPAA privacy or security requirements, particularly with respect to business associates who face the same penalties as covered entities, have raised awareness and renewed commitment to a culture of compliance.

--Joseph Goedert


For reprint and licensing requests for this article, click here.