Health Breach Notification Rulemaking #541358-00089

Submission Number:
John Norris
Trinity Health - Legal Department
Initiative Name:
Health Breach Notification Rulemaking

The regulation states: If such guidance is not issued…the term unsecured means “not secured by a technology standard that renders PHR identifiable information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” We are assuming that “accredited by the American National Standards Institute” implies the National Instituted of Standards and Technology (NIST) standards. The actual linkage documentation is difficult to find. This brings up two questions. First, NIST has many “should” statements in their requirements. This seems to imply that the process is risk based. Therefore the acceptable implementation of cryptographic technology is relative to our interpretation of risk. Can the regulations tighten this up. For example, is Windows Integrated Login acceptable or is Preboot Authentication required. Also, are separate passwords required for operating system access and encryption access? Second, NIST references FIPs 140-2 as to what is an acceptable cryptographic technology. The practice refers to four levels of assurance. Do the regulations expect or require a specific minimum level of assurance or can we assume that Level 1 is sufficient.