Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

This document is guidance and a request for comments under section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5). ARRA was enacted on February 17, 2009. The HITECH Act (the Act) at section 13402 requires the Department of Health and Human Services (HHS) to issue interim final regulations within 180 days of enactment to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide for notification in the case of breaches of unsecured protected health information. For purposes of these requirements, section 13402(h) of the Act defines "unsecured protected health information" to mean protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance, and requires the Secretary to issue such guidance no later than 60 days after enactment and to specify within the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Through this document, HHS is issuing the required guidance and seeking public comment both on the guidance as well as the breach notification provisions of the Act generally to inform the future rulemaking and updates to the guidance.