HIPAA Guidance and Request for Comments: Securing Protected Health Information and Breach Notification

May 7, 2009

The American Recovery and Reinvestment Act of 2009 (ARRA) provides significant changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) through incorporation of the Health Information Technology for Economic and Clinical Health Act (HITECH). The changes to HIPAA impact both covered entities and business associates. Among these changes, covered entities and business associates are now required to provide notification if unsecured protected health information (PHI) has been breached.

Related Guidance and Request for Comments Issued

As required under HITECH, on April 17, 2009, the Department of Health and Human Services (HHS) issued guidance regarding the proper methods for securing PHI. Also contained in the guidance is a request for information on: (1) the introduced methods for securing PHI, and (2) the breach notification process. Comments must be submitted on or before May 21, 2009.

Securing Protected Health Information

The guidance defines secured PHI as PHI that is “unusable, unreadable, or indecipherable to unauthorized individuals.” A breach involving secured PHI will not trigger the HITECH Act’s notification requirements. However, the covered entity may still be required to take steps under the HIPAA privacy and security rules to correct or mitigate circumstances surrounding the breach of secured PHI. The two methods for rendering PHI as unusable, unreadable, or indecipherable to unauthorized individuals – “Encryption” and “Destruction” – are described in further detail below.


To be secured PHI, electronic PHI must be encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” Further, the confidential process must not be breached (for example, the key must not be accessible to unauthorized users). The encryption process used must also comply with federal guidelines, and covered entities and business associates should be prepared to update methodologies as further guidance is issued.


The media on which PHI is stored must be so thoroughly destroyed that it may not be reconstructed. Paper, film or other hard copies must be shredded or rendered unreadable. Any electronic media must be cleared, purged or destroyed consistent again with federal guidelines in such a manner that data cannot be retrieved.

Further details regarding federally approved encryption and destruction guidelines can be found at the NIST website.

Breach Notification

Under the HITECH Act, a breach is defined as “an unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” HITECH provides that a breach will be treated as discovered as of the day on which the breach is known or the entity or associate reasonably should have known it had occurred. Generally notifications are to be prompt and in no case later than 60 days after discovery of the breach. If the breach involved PHI secured in accordance with the guidance, then notification is not required. Both covered entities and business associates have responsibility for breach notification. However, the guidance allows for limited exceptions for unintentional or inadvertent breaches made in the normal course of handling PHI.

Covered Entity

Upon discovery of a breach, notice shall be given to all affected individuals and, in some cases, to HHS and the media.

Business Associate

A business associate must notify the covered entity of a breach, upon discovery. The notice should include the identification of each individual whose unsecured PHI has been (or is reasonably believed to have been) accessed, acquired or disclosed during the breach.


The covered entity must provide notices to affected individuals that include the following information:

  • A brief description of what occurred, including the date of the breach and the date of the discovery.
  • A description of the types of unsecured PHI that were involved.
  • The steps individuals should take to protect themselves from harm as a result of the breach.
  • A brief description of what the plan is doing to investigate the breach, to mitigate losses and to protect against further breaches.
  • Contact procedures for individuals to ask questions or obtain additional information, including a toll-free telephone number, e-mail address, website or postal address.

Breach Affecting 500 or More Individuals

In addition to the general notice requirements outlined above, with respect to breaches affecting 500 or more individuals, additional obligations will apply:

  • The notice to HHS must be provided immediately. HHS will post the name of any entity involved in a breach of this size on its website.
  • If the breach affects 500 or more individuals in a single state or jurisdiction, the notice must be provided in prominent local media outlets as well.

Effective Date

Interim final regulations on breach notifications are to be published no later than August 16, 2009. The provisions are then currently scheduled to become effective and apply to any breach 30 days after publication of the final regulations (i.e., September 15, 2009).


In light of the changes outlined above, covered entities and business associates should review and update their security infrastructures to minimize exposure to PHI security and breach notification requirements. McGuireWoods is prepared to assist in creating and revising HIPAA privacy and security procedures, training materials, business associate agreements and any other required process as it applies to HIPAA under HITECH.

To view the guidance or submit a comment in response to the request for information, visit the HHS Health Information Privacy page.

In addition, for additional information regarding the manner in which the amended HIPAA provisions may impact your entity, please contact the authors or any member of the McGuireWoods Employee Benefits, Labor & Employment or Health Care teams. Updates on related regulatory and business matters can be found in our Stimulus Package section.