HITECH - Breach Notification for Unsecured PHI: encryption & key management

["McGrath, Faith" <faith.mcgrath () YALE EDU>]

There is text in the 24 August Interim Final Rule for 'Breach  
Notification for Unsecured Protected Health Information' guidance  
defining safe harbor from notification which includes the requirement:
	"First, for purposes of the guidance below and ensuring encryption  
keys are not breached, we clarify that covered entities and business  
associates should keep encryption keys on a separate device from the  
data that they encrypt or decrypt."  (Federal Register - 45 CFR Parts  
160 and 164 - pg 42742 - http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf) 
.

Yale participated in the recent Association of American Medical  
Colleges (AAMC) encryption survey (http://www.aamc.org/members/gir/newsletter.htm 
), but this didn't provide much detail on specific implementations and  
was conducted prior to the 24 August Interim Final Rule, so we are  
trying to get a better understanding about what our peer institutions  
are doing specifically related to this key management issue as defined  
in the regulation. The breach notification regulation does not require  
encryption nor that the keys be kept on a separate device, but if  
these elements are not in place and there is breach -- then you must  
comply with the notification requirements.

Background: Yale is currently using PGP whole disk and file level  
encryption as one method to mitigate risk of breach notification on  
desktop/laptop computers and we are now evaluating the use of tokens/ 
smart_cards as an option to "keep encryption keys on a separate device  
from the data that they encrypt or decrypt." for personal computers  
used in the University's HIPAA Covered Components – which for us  
includes the Group Health Plan Component and the Covered Health Care  
Component (School of Medicine, School of Nursing, Department of  
Psychology clinics and Yale University Health Services). The  
University is engaged in clinical care (TPO) and clinical research  
with an affiliated community hospital that is a separate entity from  
the University (we have an OCHA - organized health care arrangement)  
and this relationship includes having University staff using hospital  
owned computing devices on the hospital network; and to a lesser, but  
still substantial degree, we are engaged (TPO and research) with our  
local VA hospital. The community hospital is investigating use of  
smart cards for authentication and the VA is transitioning to use of  
CAC cards. Both organizations are also moving to thin client  
technologies in their clinical care setting. Because of our close  
interactions with these entities we need to be cognizant of  
integration issues with any encryption solutions. We have already had  
some email encryption issues c/o the VA is currently using S/MIME and  
we use PGP.

If any of you are in similar circumstances, I would be grateful hear  
how you are to addressing this issue. It would also be helpful to know  
if your institution participated in the AAMC survey.

If this topic is not of general interest to the list, please feel free  
to contact me directly. Thanks.


___________________________
Faith McGrath, Compliance Officer
Yale University ITS - Information Security
faith.mcgrath () yale edu
voice: 203.737.4087
security () yale edu || security.yale.edu