Health IT and Electronic Health Activate your FREE membership today |  Log-in
5 pts.
 HITECH Compliance
What do I have to do with my network and servers, as  a "BAA" to comply with HITECH as a HIPAA Security Officer? Must every hard drive be encrypted that contains PHI? What if my older applications used for transcription can not read and write to an encrypted drive? What does the law itself state? Where is the best place for guideance on this subject since the govenment does nto appear to have published any useful data?
ASKED: March 17, 2010  11:06 PM
UPDATED: April 22, 2010  6:29 pm

Answer Wiki:
This question is not that easy to answer. The regulation itself doesn't say anything about requiring encryption. However, there is a safe harbor provision pertaining to your requirement to notify the individuals and the secretary of HHS in case you have a security breach. It basically states that if the information is "unusable, unreadable, or indecipherable to unauthorized individuals", then the covered entity does not have to report the breach. HHS doesn't specify what would qualify in their mind to allow you to apply this safe harbor provision, but they do cite examples: FIPS 140-2 compliant encryption for data in transit (any kind of electronic transmissions) and NIST 800-111 compliant encryption for resting data (i.e. laptops, PDAs, hard disks etc.). So, having encrypted disks on portable devices will make you suffer a lot less pain and embarrassment should a device be lost or stolen. Alternatively you can make sure that none of the data ever leaves your data center. You can achieve that by virtualizing desktops and applications in the datacenter and using secure and high performance delivery protocols. I am planning on releasing some material specifically around this topic, so stay tuned. Florian twitter: @<a href="">florianbecker</a> TechTarget Blog: <a href="">Virtualization Pulse</a> <a href="">Ask the Architect - Everything Healthcare</a> To answer the specific question that was asked, as a business associate under HITECH you need to follow the HIPAA Security Rule safeguard requirements that already apply to you, recognizing that under HITECH you may now be held directly responsible for violating HIPAA, rather than the HIPAA-covered entity or entities with which you have business associate agreement(s) in place. As for encryption, you are not required to implement any data encryption at all if you don't want to/can't make the business case to do so. The incentive is to give yourself an exception from data breach notification rules if your data is compromised; if it's "unusable, unreadable, or otherwise indecipherable" then you don't have to report that it went missing. If you have systems that can't take advantage of encryption technology, then you want to make sure your other security controls (including data handling processes) are as able as possible to prevent PHI from being disclosed without authorization. One source of guidance on this is the health data breach disclosure rules themselves, available with guidance and instructions from the HHS Health Information Privacy website, at
Last Wiki Answer Submitted:  April 22, 2010  6:29 pm  by  FlorianB   195 pts.
All Answer Wiki Contributors:  FlorianB   195 pts.
To see all answers submitted to the Answer Wiki: View Answer History.

Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: