Educause Security Discussion mailing list archives

Re: HITECH Breach Notifications - NIST Required or Safe Harbor?

From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Tue, 15 Sep 2009 11:35:00 -0500

Chris Kidd wrote:
"A question about the HITECH encryption standard for the breach notification requirements: Do you view NIST/FIPS 
standards/certifications as a requirement to meet the HITECH encryption requirements or is NIST just a safe harbor, and 
other similar technological standards would also meet with the HITECH standards?  Another way of asking the same 
question is whether compliance with the encryption standards in the HIPAA security rule equates with compliance under 
HITECH.  We have looked at the guidance on this and it's hard to tell if NIST is the only relevant standard or just a 
safe harbor."


The HHS Interim final rule states: "The encryption processes identified below have been tested by the National 
Institute of Standards and Technology (NIST) and judged to meet this standard." So if you previously complied with 
HIPAA standards through encryption, AND your encryption solution complies with NIST then you should in turn comply with 
HITECH

Jim



The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest 
quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of 
Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton 
International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct 
legal entity.
In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.


In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code.
--------------------------------------------------------------------------
This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities 
other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.

Current thread:

HITECH Breach Notifications - NIST Required or Safe Harbor? Chris Kidd (Sep 15)
- <Possible follow-ups>
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? St Clair, Jim (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Doug Markiewicz (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Faith Mcgrath (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)