May 21, 2009
Charles E. Johnson
Acting Secretary
The Office for Civil Rights
U.S. Department of Health and Human Services
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue, SW
Washington, DC 20201
Attention: HITECH Breach Notification
RE: 45 CFR Parts 160 and 164; Guidance specifying technologies and methodologies that
render protected health information unusable, unreadable, or indecipherable to
unauthorized individuals for the purposes of the breach notification requirements specified
in ARRA
Dear Mr. Johnson:
The Medical Group Management Association (MGMA) appreciates the opportunity to submit
comments on the Department of Health and Human Service’s (HHS) guidance specifying the
technologies and methodologies that render protected health information (PHI) unusable,
unreadable, or indecipherable to unauthorized individuals to prevent triggering the breach
notification requirements specified in the recently enacted “American Recovery and Reinvestment
Act of 2009” (ARRA) (Pub. L. 111-5).
ARRA defines a breach as the unauthorized acquisition, access, use, or disclosure of PHI which
compromises the security or privacy of such information. HHS is required to issue guidance, with
annual updates, on the technological solutions for protecting PHI from security breaches.
Although HIPAA covered entities are not required to follow HHS’ guidance, HHS’ recommended
technologies and methodologies would “create the functional equivalent of a safe harbor” so that
HIPAA covered entities and their business associates that implement these measures will not have
to issue breach notifications in the event of a breach, as required by ARRA.
We offer the following comments:
1. Support of Encryption and Destruction to render PHI Unusable - We support the two
identified methods included in the HHS guidance for rendering PHI unusable, unreadable,
or indecipherable to unauthorized individuals, (a) encryption, and (b) destruction. It is
clear that should PHI be properly encrypted or destroyed prior to disposal, then no breach
notification should be required. Similarly, no breach notification should be required if the
media on which PHI are stored has been destroyed in such a manner that that the data
cannot be retrieved or pieced back together.
2. Limited Data Set to Render PHI “Unusable” - We recommend adding the creation of a
limited data set to the list of methods physician practices can employ to render PHI
unusable to unauthorized individuals. A “limited data set” is information from which
“facial” identifiers have been removed. Specifically, as it relates to the individual or his or
her relatives, employers or household members, all the following identifiers must be
removed in order for health information to be a “limited data set”:

Names;















Street addresses (other than town, city, state and zip code);
Telephone numbers;
Fax numbers;
E-mail addresses;
Social Security numbers;
Medical records numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate license numbers;
Vehicle identifiers and serial numbers, including license plates;
Device identifiers and serial numbers;
URLs;
IP address numbers;
Biometric identifiers (including finger and voice prints); and
Full face photos (or comparable images).
As HIPAA expressly set out that limited data sets are exempted from the accounting
requirement (45 CFR 164.528(a) (1) (viii)), we contend that the breach notification
requirement should not apply to PHI that has been converted to a limited data set.
3. De-identification of PHI – PHI that has been de-identified falls outside the purview of
the HIPAA Privacy regulation. However, we encourage the inclusion of the deidentification process as another option for physician practices to employ to render PHI
unusable to unauthorized individuals. In addition, no breach notification should be
required if the media on which PHI are stored has been de-identified. This additional
option, and the impact on breach notification, should be clearly communicated to covered
entities impacted by this Guidance.
4. No Breach Notice Required if PHI not Accessed – Should evidence clearly indicate that
PHI has not been, or could not reasonably have been, acquired by an unauthorized
individual, no breach notification should be required. As an example, should a laptop
containing PHI be stolen, and later recovered with evidence that the PHI was never
accessed, no breach notification should be required.
5. Identification of Practical Methods to Protect PHI - In developing final guidance on
this issue and in developing other guidance documents in support of the privacy and
security provisions included in ARRA, HHS should consider practical, inexpensive
technological measures and methods that protect PHI. This would ensure that the broadest
number of physician practices possible would adhere to the guidance recommendations.
HHS should widely disseminate these practical methods of protecting PHI by using, for
example, the HHS Website, provider-focused conference calls, and face-to-face meetings.
Thank you for the opportunity to comment on this important issue. Should you have any
questions regarding our comments please contact Robert Tennant at rtennant@mgma.com or 202293-3450.
Sincerely,
William F. Jessee, MD, FACMPE
President and CEO