Educause Security Discussion mailing list archives
Re: HITECH Breach Notifications - NIST Required or Safe Harbor?
From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Tue, 15 Sep 2009 11:35:00 -0500
Chris Kidd wrote: "A question about the HITECH encryption standard for the breach notification requirements: Do you view NIST/FIPS standards/certifications as a requirement to meet the HITECH encryption requirements or is NIST just a safe harbor, and other similar technological standards would also meet with the HITECH standards? Another way of asking the same question is whether compliance with the encryption standards in the HIPAA security rule equates with compliance under HITECH. We have looked at the guidance on this and it's hard to tell if NIST is the only relevant standard or just a safe harbor." The HHS Interim final rule states: "The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard." So if you previously complied with HIPAA standards through encryption, AND your encryption solution complies with NIST then you should in turn comply with HITECH Jim The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/. In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under the Internal Revenue Code. -------------------------------------------------------------------------- This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
Current thread:
- HITECH Breach Notifications - NIST Required or Safe Harbor? Chris Kidd (Sep 15)
- <Possible follow-ups>
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? St Clair, Jim (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Doug Markiewicz (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Faith Mcgrath (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)