The US Department of Health and Human Services (HHS) has issued some guidance on electronic health record data security. The new document indicates that any electronic medical data needs to be made “unusable, unreadable or indecipherable” to anybody without viewing authority. The document recommends encryption and destruction as two methods for meeting the new requirement. Under the new guidance, the number of companies subject to disclosure rules is greatly expanded.

The document is part of the Health Information Technology for Economic and Clinical health (HITECH) Act, which is part of the stimulus bill. There is a separate set of guidelines issued by HHS for entities covered under the Health Insurance Portability and Accountability Act (HIPAA), and another issued by the FTC for non-HIPAA entities. Interestingly, organizations that comply with the guidelines will get a “safe harbor” on breach notification requirements. It seems a bit bizarre–breach notification rules are designed to keep the public informed when information gets released one way or another. Giving organizations a free pass on notification just because they encrypt doesn’t seem to make any sense. That said though, use of encryption for sensitive electronic health records, which would include encryption when sending health data via email, certainly makes sense.

By expanding the rule to non-HIPAA entities, patient confidentiality will get a big boost, but more companies will be liable to comply with new regulations. Organizations that would fall under the new rules may include online applications that send information to electronic health records, such as Google Health, or even web-based applications for managing medications or offering online personal health care management tools. It may even include iPhone apps that are designed to help users manage health and personal fitness.