hitech guidance

8/8/2019 HITECH Guidance

1/5

19006 Federal Register / Vol. 74, No. 79 / Monday, April 27, 2009 / Rules and Regulations

treatment, and/or disposal. Thesevolumes correspond to the sum ofamounts reportable for data elements onEPA Form R (EPA Form 93501; Rev.12/4/93) as Part II column B or sections8.1 (quantity released), 8.2 (quantityused for energy recovery on-site), 8.3(quantity used for energy recovery off-site), 8.4 (quantity recycled on-site), 8.5(quantity recycled off-site), 8.6 (quantitytreated on-site), and 8.7 (quantitytreated off-site).

(b) If an owner or operator of a facilitydetermines that the owner or operatormay apply the alternate reportingthreshold specified in paragraph (a) ofthis section for a specific toxicchemical, the owner or operator is notrequired to submit a report for thatchemical under 372.30, but mustsubmit a certification statement thatcontains the information required in 372.95. The owner or operator of the

facility must also keep records asspecified in 372.10(d).

* * * * *

(e) The provisions of this section donot apply to any chemicals listed in 372.28.

Subpart E[Amended]

4. Section 372.95 is amended asfollows:

a. Revise section heading.

b. Revise paragraph (b) introductorytext.

c. Revise paragraph (b)(4).

372.95 Alternate threshold certificationand instructions.

* * * * *

(b) Alternate threshold certificationstatement elements. The followinginformation must be reported on analternate threshold certificationstatement pursuant to 372.27(b):

* * * * *

(4) Signature of a senior managementofficial certifying the following:pursuant to 40 CFR 372.27, I hereby

certify that to the best of my knowledgeand belief for the toxic chemical listedin this statement, the annual reportableamount, as defined in 40 CFR 372.27(a),did not exceed 500 pounds for thisreporting year and that the chemicalwas manufactured, or processed, orotherwise used in an amount notexceeding 1 million pounds during thisreporting year.

* * * * *[FR Doc. E99530 Filed 42409; 8:45 am]

BILLING CODE 656050P

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

45 CFR Parts 160 and 164

Guidance Specifying the Technologiesand Methodologies That RenderProtected Health InformationUnusable, Unreadable, or

Indecipherable to UnauthorizedIndividuals for Purposes of the BreachNotification Requirements UnderSection 13402 of Title XIII (HealthInformation Technology for Economicand Clinical Health Act) of theAmerican Recovery and ReinvestmentAct of 2009; Request for Information

AGENCY: Office of the Secretary,Department of Health and HumanServices.ACTION: Guidance and Request forInformation.

SUMMARY: This document is guidance

and a request for comments undersection 13402 of the Health InformationTechnology for Economic and ClinicalHealth (HITECH) Act, Title XIII ofDivision A and Title IV of Division B ofthe American Recovery andReinvestment Act of 2009 (ARRA) (Pub.L. 1115). ARRA was enacted onFebruary 17, 2009. The HITECH Act (theAct) at section 13402 requires theDepartment of Health and HumanServices (HHS) to issue interim finalregulations within 180 days ofenactment to require covered entitiesunder the Health Insurance Portabilityand Accountability Act of 1996 (HIPAA)and their business associates to providefor notification in the case of breachesof unsecured protected healthinformation. For purposes of theserequirements, section 13402(h) of theAct defines unsecured protected healthinformation to mean protected healthinformation that is not secured throughthe use of a technology or methodologyspecified by the Secretary in guidance,and requires the Secretary to issue suchguidance no later than 60 days afterenactment and to specify within thetechnologies and methodologies thatrender protected health information

unusable, unreadable, or indecipherableto unauthorized individuals. Throughthis document, HHS is issuing therequired guidance and seeking publiccomment both on the guidance as wellas the breach notification provisions ofthe Act generally to inform the futurerulemaking and updates to theguidance.

DATES: Comments must be submitted onor before May 21, 2009. The guidance isapplicable upon issuance, whichoccurred on April 17, 2009, through

posting on the HHS Web site at http://www.hhs.gov/ocr/privacy. However, theguidance will apply to breaches 30 daysafter publication of the forthcominginterim final regulations. If wedetermine that the guidance should bemodified based on public comments, wewill issue updated guidance prior to orconcurrently with the regulations.ADDRESSES: Written comments may besubmitted through any of the methodsspecified below. Please do not submitduplicate comments.

Federal eRulemaking Portal: Youmay submit electronic comments athttp://www.regulations.gov. Follow theinstructions for submitting electroniccomments. Attachments should be inMicrosoft Word, WordPerfect, or Excel;however, we prefer Microsoft Word.

Regular, Express, or Overnight Mail:You may mail written comments (oneoriginal and two copies) to the followingaddress only: U.S. Department of Health

and Human Services, Office for CivilRights, Attention: HITECH BreachNotification, Hubert H. HumphreyBuilding, Room 509F, 200Independence Avenue, SW.,Washington, DC 20201.

Hand Delivery or Courier: If youprefer, you may deliver (by hand orcourier) your written comments (oneoriginal and two copies) to the followingaddress only: Office for Civil Rights,Attention: HITECH Breach Notification,Hubert H. Humphrey Building, Room509F, 200 Independence Avenue, SW.,Washington, DC 20201. (Because access

to the interior of the Hubert H.Humphrey Building is not readilyavailable to persons without federalgovernment identification, commentersare encouraged to leave their commentsin the mail drop slots located in themain lobby of the building.)

Inspection of Public Comments: Allcomments received before the close ofthe comment period will be available forpublic inspection, including anypersonally identifiable or confidential

business information that is included ina comment. We will post all commentsreceived before the close of thecomment period at http://

www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:Andra Wicks, 2022052292.SUPPLEMENTARY INFORMATION:

I. Background

The Health Information Technologyfor Economic and Clinical Health(HITECH) Act was enacted on February17, 2009, as Title XIII of Division A andTitle IV of Division B of the AmericanRecovery and Reinvestment Act of 2009(ARRA) (Pub. L. 1115). Subtitle D of

VerDate Nov2008 14:31 Apr 24, 2009 Jkt 217001 PO 00000 Frm 00030 Fmt 4700 Sfmt 4700 E:\FR\FM\27APR1.SGM 27APR1


2/5

19007Federal Register / Vol. 74, No. 79 / Monday, April 27, 2009 / Rules and Regulations

1Protected health information (PHI) isindividually identifiable health informationtransmitted or maintained by a covered entity or itsbusiness associate in any form or medium. 45 CFR160.103.

2The Act provides that the technologies andmethodologies specified in the guidance also are toaddress the use of standards developed undersection 3002(b)(2)(B)(vi) of the Public Health

Service Act, as added by section 13101 of the Act.Section 3002(b)(2)(B)(vi) of the Public HealthService Act requires the HIT Policy Committeeestablished in section 3002 to issuerecommendations on the development oftechnologies that allow individually identifiablehealth information to be rendered unusable,unreadable, or indecipherable to unauthorizedindividuals when such information is transmittedin the nationwide health information network orphysically transported outside of the securedphysical perimeter of a health care provider, healthplan, or health care clearinghouse. The Departmentintends to address such standards as they aredeveloped in future iterations of this guidance.

3This provision becomes moot with the issuanceof this guidance.

the HITECH Act (the Act), entitledPrivacy, among other provisions,requires HHS to issue interim finalregulations for breach notification byentities subject to the Health InsurancePortability and Accountability Act of1996 (HIPAA) and their businessassociates. In particular, section 13402of the Act requires HIPAA covered

entities to notify affected individuals,and requires business associates tonotify covered entities, following thediscovery of a breach of unsecuredprotected health information (PHI).1

The Act at section 13402(h) definesunsecured protected healthinformation to mean PHI that is notsecured through the use of a technologyor methodology specified by theSecretary in guidance. Further, the Actprovides that no later than 60 days afterenactment, the Secretary shall, afterconsultation with stakeholders, issue(and annually update) guidance

specifying the technologies andmethodologies that render PHIunusable, unreadable, or indecipherableto unauthorized individuals.2 The Actalso provides that in the case theSecretary does not issue timelyguidance, the term unsecuredprotected health information shallmean protected health information thatis not secured by a technology standardthat renders protected healthinformation unusable, unreadable, orindecipherable to unauthorizedindividuals and is developed orendorsed by a standards developingorganization that is accredited by the

American National Standards Institute(ANSI).3

If PHI is rendered unusable,unreadable, or indecipherable tounauthorized individuals by one ormore of the methods identified in thisguidance, then such information is not

unsecured PHI. Thus, because thebreach notification requirements applyonly to breaches of unsecured PHI, thisguidance provides the means by whichcovered entities and their businessassociates are to determine whether a

breach has occurred to which thenotification obligations under the Actand its implementing regulations apply.

Further, section 13407 of the Actdefines unsecured PHR identifiableinformation as personal health record(PHR) identifiable health informationthat is not protected through the use ofa technology or methodology specifiedin the Secretarys guidance. Thus, thisguidance also is to be used to specifythe technologies and methodologies thatrender PHR identifiable healthinformation unusable, unreadable, orindecipherable to unauthorizedindividuals for purposes of thetemporary breach notificationrequirements that apply to vendors of

PHRs and certain other entities (that arenot otherwise HIPAA covered entities)under section 13407 of the Act. Section13407 is to be administered by theFederal Trade Commission (FTC) andrequires the FTC to promulgateregulations within 180 days ofenactment.

The breach notification provisions ofsection 13402 apply to HIPAA coveredentities and their business associatesthat access, maintain, retain, modify,record, store, destroy, or otherwise hold,use, or disclose unsecured PHI (sections13402(a) and (b)). For purposes of these

provisions, breach is defined in theAct as the unauthorized acquisition,access, use, or disclosure of protectedhealth information which compromisesthe security or privacy of suchinformation, except where anunauthorized person to whom suchinformation is disclosed would notreasonably have been able to retain suchinformation. The Act includesexceptions to this definition for cases inwhich: (1) The unauthorizedacquisition, access, or use of PHI isunintentional and made by an employeeor individual acting under authority of

a covered entity or business associate ifsuch acquisition, access, or use wasmade in good faith and within thecourse and scope of the employment orother professional relationship with thecovered entity or business associate, andsuch information is not furtheracquired, accessed, used, or disclosed;or (2) where an inadvertent disclosureoccurs by an individual who isauthorized to access PHI at a facilityoperated by a covered entity or businessassociate to another similarly situatedindividual at the same facility, as long

as the PHI is not further acquired,accessed, used, or disclosed withoutauthorization (section 13400, definitionof breach).

Following the discovery of a breach ofunsecured PHI, a covered entity mustnotify each individual whose unsecuredPHI has been, or is reasonably believedto have been, inappropriately accessed,

acquired, or disclosed in the breach(section 13402(a)). Additionally,following the discovery of a breach bya business associate, the businessassociate must notify the covered entityof the breach and identify for thecovered entity the individuals whoseunsecured PHI has been, or isreasonably believed to have been,

breached (section 13402(b)). The Actrequires the notifications to be madewithout unreasonable delay but in nocase later than 60 calendar days afterdiscovery of the breach, except thatsection 13402(g) requires a delay of

notification where a law enforcementofficial determines that a notificationwould impede a criminal investigationor cause damage to national security.

The Act specifies the followingmethods of notice in section 13402(e):

Written notice to the individual (ornext of kin if the individual is deceased)at the last known address of theindividual (or next of kin) by first-classmail (or by electronic mail if specified

by the individual). In the case in which there is

insufficient or out-of-date contactinformation, substitute notice,

including, in the case of 10 or moreindividuals for which there isinsufficient contact information,conspicuous posting (for a perioddetermined by the Secretary) on thehome page of the Web site of thecovered entity or notice in major printor broadcast media.

In cases that the entity deemsurgent based on the possibility ofimminent misuse of the unsecured PHI,notice by telephone or other method ispermitted in addition to the abovemethods.

Notice to prominent media outletswithin the State or jurisdiction if a

breach of unsecured PHI affects or isreasonably believed to affect more than500 residents of that State orjurisdiction.

Notice to the Secretary by coveredentities immediately for breachesinvolving more than 500 individualsand annually for all other breaches.

Posting by the Secretary on an HHSWeb site of a list that identifies eachcovered entity involved in a breach inwhich the unsecured PHI of more than500 individuals is acquired or disclosed.



3/5


4De-identified health information neitheridentifies nor provides a reasonable basis to identifyan individual. The HIPAA Privacy Rule providestwo ways to de-identify information: (1) A formaldetermination by a qualified statistician; or (2) theremoval of 18 specified identifiers of the individualand of the individuals relatives, householdmembers, and employers, and the covered entityhas no actual knowledge that the remaininginformation could be used to identify theindividual. 45 CFR 164.514(b).

545 CFR Parts 160 and Subparts A, C, and E ofPart 164. 6Available at http://www.csrc.nist.gov/.

7Preventing Data Leakage Safeguards TechnicalAssistance, Internal Revenue Service, http://www.irs.gov/businesses/small/article/0,,id=201295,00.html.

8Kanagasingham, P. Data Loss Prevention, SANSInstitute, 2008.

9Sometimes referred to as data at theendpoints.

10We solicit comments on methods to protectdata in use. See Section III.A.1.

Section 13402(f) of the Act requiresthe notification of a breach to include(1) a brief description of whathappened, including the date of the

breach and the date of the discovery ofthe breach, if known; (2) a descriptionof the types of unsecured PHI that wereinvolved in the breach (such as fullname, Social Security number, date of

birth, home address, account number, ordisability code); (3) the stepsindividuals should take to protectthemselves from potential harmresulting from the breach; (4) a briefdescription of what the covered entityinvolved is doing to investigate the

breach, to mitigate losses, and to protectagainst any further breaches; and (5)contact procedures for individuals toask questions or learn additionalinformation, which shall include a toll-free telephone number, an e-mailaddress, Web site, or postal address.Finally, section 13402(i) requires theSecretary to annually prepare andsubmit to Congress a report regardingthe breaches for which the Secretarywas notified.

The Departments interim finalregulations will become effective 30days after publication and will apply to

breaches of unsecured PHI thereafter.

II. Guidance Specifying theTechnologies and Methodologies ThatRender Protected Health InformationUnusable, Unreadable, orIndecipherable to UnauthorizedIndividuals

Please note that this guidance doesnot address the use of de-identifiedinformation as a method to renderprotected health information (PHI)unusable, unreadable, or indecipherableto unauthorized individuals becauseonce PHI has been de-identified inaccordance with the HIPAA PrivacyRule,4 it is no longer PHI and, therefore,no longer subject to the HIPAA Privacyand Security Rules.5 However, nothingin this guidance should be construed asdiscouraging covered entities and

business associates from using de-

identified information to the maximumextent practicable.

A. Background

This guidance identifies thetechnologies and methodologies thatcan be used to render PHI (as defined in45 CFR 160.103) unusable, unreadable,or indecipherable to unauthorizedindividuals. It should be used bycovered entities and their businessassociates to determine whetherunsecured protected healthinformation has been breached,thereby triggering the notificationrequirements specified in section 13402of the Act and its forthcomingimplementing regulations.

This guidance is not intended toinstruct covered entities and businessassociates on how to prevent breaches ofPHI. The HIPAA Privacy and SecurityRules, which are much broader in scopeand different in purpose than thisguidance, are intended, in part, toprevent or reduce the likelihood of

breaches of PHI. Covered entities must

comply with the requirements of theHIPAA Privacy and Security Rules byconducting risk analyses andimplementing physical, administrative,and technical safeguards that eachcovered entity determines arereasonable and appropriate. Coveredentities and business associates seekingadditional information also may want torefer to the National Institute ofStandards and Technology (NIST)Special Publication 80066Revision 1,An Introductory Resource Guide forImplementing the HIPAA SecurityRule. 6

This guidance is intended to describethe technologies and methodologies thatcan be used to render PHI unusable,unreadable, or indecipherable tounauthorized individuals. Whilecovered entities and business associatesare not required to follow the guidance,the specified technologies andmethodologies, if used, create thefunctional equivalent of a safe harbor,and thus, result in covered entities and

business associates not being required toprovide the notification otherwiserequired by section 13402 in the eventof a breach. However, while adherence

to this guidance may result in coveredentities and business associates notbeing required to provide thenotifications in the event of a breach,covered entities and business associatesstill must comply with all other federaland state statutory and regulatoryobligations that may apply following a

breach of PHI, such as state breachnotification requirements, if applicable,as well as the obligation on coveredentities at 45 CFR 164.530(f) of the

HIPAA Privacy Rule to mitigate, to theextent practicable, any harmful effectthat is known to the covered entity asa result of a breach of PHI by thecovered entity or business associate.

In accordance with the requirementsof this Act, we are issuing this guidanceafter consultation with stakeholders.Specifically, we consulted with external

experts in health informatics andsecurity, including representatives fromseveral Federal agencies. In issuing thisguidance, HHS is soliciting additionalpublic input on the guidance, includingwhether there are other specific types oftechnologies and methodologies thatshould be included in future updates tothe guidance if appropriate. Thisguidance may be modified based onpublic feedback and updated guidancemay be issued prior to or concurrentlywith the interim final regulations.

The term unsecured protected healthinformation includes PHI in any form

that is not secured through the use of atechnology or methodology specified inthis guidance. This guidance, however,addresses methods for rendering PHI inpaper or electronic form unusable,unreadable, or indecipherable tounauthorized individuals.

Data comprising PHI can bevulnerable to a breach in any of thecommonly recognized data states: datain motion (i.e., data that is movingthrough a network, including wirelesstransmission7); data at rest (i.e., datathat resides in databases, file systems,and other structured storage methods 8);data in use (i.e., data in the processof being created, retrieved, updated, ordeleted 9); or data disposed (e.g.,discarded paper records or recycledelectronic media). PHI in each of thesedata states (with the possible exceptionof data in use 10) may be securedusing one or more methods. Inconsultation with information securityexperts at NIST, we have identified twomethods for rendering PHI unusable,unreadable, or indecipherable tounauthorized individuals: encryptionand destruction. Both of these methodsare discussed below.

Encryption is one method of

rendering electronic PHI unusable,unreadable, or indecipherable tounauthorized persons. The successfuluse of encryption depends upon two



4/5

19009Federal Register / Vol. 74, No. 79 / Monday, April 27, 2009 / Rules and Regulations

11See Section III.A.3.

12Golle P. (2006). Revisiting the Uniqueness ofSimple Demographics in the US Population.Available at http://crypto.stanford.edu/pgolle/

papers/census.pdf.13See Section III.A.5.14Golle P. (2006). Revisiting the Uniqueness of

Simple Demographics in the US Population.Available at http://crypto.stanford.edu/pgolle/papers/census.pdf.

1545 CFR 164.304, definition of encryption.16The NIST Computer Security Divisions

mission is to provide standards and technology toprotect information systems against threats to theconfidentiality of information, integrity ofinformation and processes, and availability ofinformation and services in order to build trust andconfidence in Information Technology (IT) systems.The NIST standards are the standards the Federalgovernment uses to protect its information systems.

main features: The strength of theencryption algorithm and the security ofthe decryption key or process. Thespecification of encryption methods inthis guidance includes the conditionthat the processes or keys that mightenable decryption have not been

breached.This guidance also addresses the

destruction of PHI both in paper andelectronic form as a method forrendering such information unusable,unreadable, or indecipherable tounauthorized individuals. If PHI isdestroyed prior to disposal inaccordance with this guidance, no

breach notification is required followingaccess to the disposed hard copy orelectronic media by unauthorizedpersons.

Note that the technologies andmethodologies referenced below inSection B are intended to be exhaustiveand not merely illustrative.

Solicitation of Public Comment onAdditional Technologies andMethodologies

Because we intend this guidance to bean exhaustive list of the technologiesand methodologies that can be used torender PHI unusable, unreadable, orindecipherable to unauthorizedindividuals, we are soliciting publiccomment on whether there areadditional technologies andmethodologies the Department shouldconsider adding to this exclusive list infuture iterations of this guidance.11

In particular, in the development of

this guidance, the Departmentconsidered whether PHI in limited dataset form should be treated as unusable,unreadable, or indecipherable tounauthorized individuals for purposesof breach notification, and thus,included in this guidance. A limiteddata set is PHI from which the 16 directidentifiers listed at 45 CFR 164.514(e)(2)of the HIPAA Privacy Rule, including anindividuals name, address, SocialSecurity number, and account number,have been removed. Although a limiteddata set requires the removal of directidentifiers, the information is not

completely de-identified pursuant to 45CFR 164.514(b) of the HIPAA PrivacyRule. Due to the risk of re-identificationof a limited data set, the HIPAA PrivacyRule treats information in a limited dataset as PHI, which must be protected andonly used or disclosed as permitted bythe HIPAA Privacy Rule. However,although the HIPAA Privacy Rule treatsinformation in a limited data set as PHI,the Rule does make distinctions interms of its requirements between PHI

in a limited data set and PHI thatcontains direct identifiers. First, theHIPAA Privacy Rule permits coveredentities to use or disclose PHI in alimited data set in certain circumstanceswhere fully-identifiable PHI is notpermitted, such as for research purposeswhere no individual authorization or anInstitutional Review Board waiver of

authorization is obtained. See 45 CFR164.502(a)(1)(vi) and 164.514(e). Inthese situations, to attempt to controlthe risk of re-identification of PHI in alimited data set, the HIPAA PrivacyRule requires a data use agreement to bein place between the covered entity andthe recipient of the limited data setobligating the recipient to not re-identify the information or contact theindividuals (45 CFR 164.514(e)(4)).Second, the HIPAA Privacy Rule furtherdistinguishes between PHI in a limiteddata set and fully-identifiable PHI byexcluding disclosures of PHI in limited

data set form from the accounting ofdisclosures requirement at 45 CFR164.528(a)(1)(viii).

In determining whether PHI inlimited data set form should be treatedas unusable, unreadable, orindecipherable to unauthorizedindividuals for purposes of breachnotification, we considered thefollowing in support of including thecreation of a limited data set in thisguidance: (1) Doing so would betteralign this guidance and the forthcomingfederal regulations with state breachnotification laws, which, as a generalmatter, only address the compromise of

direct identifiers; and (2) there may beadministrative and legal difficultiescovered entities face in notifyingindividuals of a breach of a limited dataset in light of limited contactinformation and requirements in datause agreements.

On the other hand, because PHI inlimited data set form is not completelyde-identified, the risk of re-identification is a consideration indetermining whether it should betreated as unusable, unreadable, orindecipherable to unauthorizedindividuals for purposes of breach

notification, and thus, included in thisguidance as an acceptable methodology.Therefore, the Department is interestedin receiving public comments onwhether the risk of re-identification of alimited data set warrants its exclusionfrom the list of technologies andmethodologies that render PHIunusable, unreadable, or indecipherableto unauthorized individuals.

For those that believe the risk of re-identification of a limited data setwarrants exclusion, we also requestcomment on whether concerns would

be alleviated if we required, forpurposes of inclusion in the guidance,the removal of certain of the remainingindirect identifiers in the limited dataset. For example, some research suggeststhat a significant percentage of the U.S.population can be identified with justthree key pieces of information, alongwith other publicly available data:

gender, birth date (month/day/year),and 5-digit zip code.12 Would theremoval of one further piece ofinformation from the limited data seteither the month and day of birth (butnot the year of birth) or the last 3 digitsof a 5-digit zip code (in addition to theelements listed in the HIPAA PrivacyRule at 45 CFR 164.514(e)(2) for creationof limited data sets)sufficiently reducethe risk of re-identification such thatthis modified data set could be added tothis guidance? 13 Research suggests thatdoing so could significantly reduce therisk of re-identification.14

B. Guidance Specifying theTechnologies and Methodologies ThatRender Protected Health InformationUnusable, Unreadable, orIndecipherable to UnauthorizedIndividuals

Protected health information (PHI) isrendered unusable, unreadable, orindecipherable to unauthorizedindividuals only if one or more of thefollowing applies:

(a) Electronic PHI has been encryptedas specified in the HIPAA Security Rule

by the use of an algorithmic process totransform data into a form in which

there is a low probability of assigningmeaning without use of a confidentialprocess or key 15 and such confidentialprocess or key that might enabledecryption has not been breached.Encryption processes identified belowhave been tested by the NationalInstitute of Standards and Technology(NIST) and judged to meet thisstandard.16

(i) Valid encryption processes for dataat rest are consistent with NIST Special



5/5


17Available at http://www.csrc.nist.gov/.18Available at http://www.csrc.nist.gov/.19Available at http://www.csrc.nist.gov/.

Publication 800111, Guide to StorageEncryption Technologies for End UserDevices.17

(ii) Valid encryption processes fordata in motion are those that complywith the requirements of FederalInformation Processing Standards (FIPS)1402. These include, as appropriate,standards described in NIST Special

Publications 80052, Guidelines for theSelection and Use of Transport LayerSecurity (TLS) Implementations; 80077, Guide to IPsec VPNs; or 800113,Guide to SSL VPNs, and may includeothers which are FIPS 1402validated.18

(b) The media on which the PHI isstored or recorded has been destroyed inone of the following ways:

(i) Paper, film, or other hard copymedia have been shredded or destroyedsuch that the PHI cannot be read orotherwise cannot be reconstructed.

(ii) Electronic media have beencleared, purged, or destroyed consistentwith NIST Special Publication 80088,Guidelines for Media Sanitization,19such that the PHI cannot be retrieved.

III. Solicitation of Comments

A. Guidance Specifying theTechnologies and Methodologies ThatRender Protected Health InformationUnusable, Unreadable, orIndecipherable to UnauthorizedIndividuals

The Department is seeking commentson its guidance regarding thetechnologies and methodologies thatrender PHI unusable, unreadable, orindecipherable to unauthorizedindividuals for purposes of section13402(h)(2) of the Act. In particular, theDepartment is interested in receivingcomments on the following:

1. Are there particular electronicmedia configurations that may renderPHI unusable, unreadable, orindecipherable to unauthorizedindividuals, such as a fingerprintprotected Universal Serial Bus (USB)drive, which are not sufficiently covered

by the above and to which guidanceshould be specifically addressed?

2. With respect to paper PHI, are there

additional methods the Departmentshould consider for rendering theinformation unusable, unreadable, orindecipherable to unauthorizedindividuals?

3. Are there other methods generallythe Department should consider forrendering PHI unusable, unreadable, orindecipherable to unauthorizedindividuals?

4. Are there circumstances underwhich the methods discussed abovewould fail to render informationunusable, unreadable, or indecipherableto unauthorized individuals?

5. Does the risk of re-identification ofa limited data set warrant its exclusionfrom the list of technologies andmethodologies that render PHI

unusable, unreadable, or indecipherableto unauthorized individuals? Can risk ofre-identification be alleviated such thatthe creation of a limited data set could

be added to this guidance?6. In the event of a breach of protected

health information in limited data setform, are there any administrative orlegal concerns about the ability tocomply with the breach notificationrequirements?

7. Should future guidance specifywhich off-the-shelf products, if any,meet the encryption standardsidentified in this guidance?

B. Breach Notification ProvisionsGenerally

In addition to public comment on theguidance, the Department also requestscomments concerning any other areas orissues pertinent to the development ofits interim final regulations for breachnotification. In particular, theDepartment is interested in comment inthe following areas:

1. Based on experience in complyingwith state breach notification laws, arethere any potential areas of conflict orother issues the Department shouldconsider in promulgating the federal

breach notification requirements?2. Given current obligations under

state breach notification laws, docovered entities or business associatesanticipate having to send multiplenotices to an individual upon discoveryof a single breach? Are therecircumstances in which the requiredfederal notice would not also satisfy anynotice obligations under the state law?

3. Considering the methodologiesdiscussed in the guidance, are there anycircumstances in which a covered entityor business associate would still berequired to notify individuals under

state laws of a breach of informationthat has been rendered secured based onfederal requirements?

4. The Acts definition of breachprovides for a variety of exceptions. Towhat particular types of circumstancesdo entities anticipate these exceptionsapplying?

Dated: April 22, 2009.

Charles E. Johnson,

Acting Secretary.

[FR Doc. E99512 Filed 42209; 4:15 pm]

BILLING CODE 415003P

FEDERAL COMMUNICATIONSCOMMISSION

47 CFR Part 27

[WT Docket Nos. 0366; 0367; 0268; IBDocket No. 02364; ET Docket No. 00258]

Small Business Size Standards for theBroadband Radio Service in the 2495

2690 MHz Band

AGENCY: Federal CommunicationsCommission.ACTION: Final rule; notification of SmallBusiness Administration approval.

SUMMARY: This document announcesthat the U.S. Small BusinessAdministration (SBA) has approved thesmall business size standards adopted

by the Commission for the BroadbandRadio Service (BRS) in the 24952690MHz band.DATES: This announcement is made asof April 27, 2009.

FOR FURTHER INFORMATION CONTACT: GaryD. Michaels, Auctions and SpectrumAccess Division, WirelessTelecommunications Bureau, (202) 4180660.SUPPLEMENTARY INFORMATION:

1. Pursuant to SBA regulations, theCommission consulted with the SBA onMarch 7, 2003, and June 29, 2004,regarding small business size standardsunder which certain small businesseswould be eligible for bidding credits inany auction of BRS licenses in the24952650 MHz band and EducationalBroadband Service (EBS) licenses in the

25002690 MHz band. Both the March7, 2003, and June 29, 2004 consultationletters proposed the following small

business definitions: Smallbusinessan entity with averageannual gross revenues for the precedingthree years not exceeding $40 million;Very small businessan entity withaverage annual gross revenues for thepreceding three years not exceeding $15million; and Entrepreneuran entitywith average gross revenues notexceeding $3 million for the precedingthree years. The SBA responded to theCommission on July 22, 2004, replying

to both of the Commissions requestsand stating that the contemplated BRSand EBS size standards appearedreasonable. The Commissionsubsequently proposed those samesmall business size standards for BRSand EBS in the BRS/EBS Further Noticeof Proposed Rulemaking, FCC 04135,released on July 29, 2004, 69 FR 72048,December 10, 2004. The Commissionreceived no comments from the publicregarding the proposed size standards.

2. On March 20, 2008, theCommission released the Big LEO Third


hitech guidance

Documents