The Department of Health and Human Services has begun an overhaul of the privacy and security rules governing personal health information, something that's considered vital to attempts by the Congress and the Obama administration to broaden the adoption of electronic health records.

Guidance published by the HHS on April 17 sets out ways that health information can be made immune to any security breaches, building on current rules contained in the Health Insurance Portability and Accountability Act (HIPAA).

The guidance was required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the omnibus American Recovery and Reinvestment Act (ARRA), the government's mammoth stimulus legislation.

The April 17 guidance also provides legal safeguards for those who use it. Though covered entities and business are not required to follow it, HHS said, the technologies and methodologies it describes "create the functional equivalent of a safe harbor" and those who employ them will not have to provide the kinds of notifications the HITECH requires in the case of a security breach.

The guidance is connected to two future breach notification regulations, one that will be issued by the HHS and the other by the Federal Trade Commission for vendors of personal records and those entities not covered by HIPAA.

The HHS guidance describes several technology solutions to the problem of security breaches, both of which would make personal health information "unusable, unreadable or indecipherable" , the criteria set out in the HITECH Act..

One method is encryption, as defined under the HIPAA Security Rule. The other is the destruction of the media on which the records are kept, which in the case of hard disks, tapes or other electronic media means an extensive enough purging of the data so it can't be retrieved, according to National Institute of Standards and Technology (NIST) guidelines.

The HHS is dodging, at least for the time being, the controversial issue of whether the use of limited data sets can be included as a part of these security breach guidelines.

That refers to the removal of certain identifiers that would tie the information to specific patients. It's something that's been promoted by many HIT advocates as a way of allowing the sharing of health information while meeting privacy concerns, but privacy watchdog groups have objected, saying it's too easy to "re-identify" the information.

Because of that, HIPAA still treats de-identified information as still at risk if a security breach occurs. The HHS, however, wants to know as part of a request for comment on its guidelines whether people feel this risk is sufficient to keep it outside of its list of sanctioned security methods, or if there are ways of limiting that risk.

The HHS is also asking for suggestions of other technologies or methods that can be used to secure patient health information, as well as for comment on any other areas that should be considered in regulations governing security breach notifications.

The comments have to submitted to the HHS by May 21. Though the HITECH Act requires the guidance to be updated annually, HHS said the recent guidelines could be revised and reissued this year, depending on comments received.