Industries & Practices

Health Care Industry

    Back

    HIPAA Regulations: General Provisions: Definitions - Electronic Media - § 160.103

    As Contained in the HHS HIPAA Rules

     

    HHS Regulations as Amended January 2013
    General Provisions: Definitions - Electronic Media - § 160.103

     

    Electronic media means:

    (1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;

    (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

     

    HHS Description and Commentary From the January 2013 Amendments
    General Provisions: Definitions - Electronic Media

     

    Proposed Rule

    The term “electronic media” was originally defined in the Transactions and Code Sets Rule issued on August 17, 2000 (65 FR 50312) and was included in the definitions at § 162.103. That definition was subsequently revised and moved to § 160.103. The purpose of that revision was to clarify that the physical movement of electronic media from place to place is not limited to magnetic tape, disk, or compact disk, so as to allow for future technological innovation. We further clarified that transmission of information not in electronic form before the transmission (e.g., paper or voice) is not covered by this definition. See 68 FR 8339, Feb. 20, 2003.

    In the NPRM, we proposed to revise the definition of “electronic media” in the following ways. First, we proposed to revise paragraph (1) of the definition to replace the term “electronic storage media” with “electronic storage material” to conform the definition of “electronic media” to its current usage, as set forth in the National Institute for Standards and Technology (NIST) “Guidelines for Media Sanitization” (Definition of Medium, NIST SP 800-88, Glossary B, p. 27 (2006)). The NIST definition, which was updated subsequent to the issuance of the Privacy and Security Rules, was developed in recognition of the likelihood that the evolution of the development of new technology would make use of the term “electronic storage media” obsolete in that there may be “storage material” other than “media” that house electronic data.

    Second, we proposed to add to paragraph (2) of the definition of “electronic media” a reference to intranets, to clarify that intranets come within the definition. Third, we proposed to change the word “because” to “if” in the final sentence of paragraph (2) of the definition of “electronic media.” The definition assumed that no transmissions made by voice via telephone existed in electronic form before transmission; the evolution of technology has made this assumption obsolete since some voice technology is digitally produced from an information system and transmitted by phone.

    Overview of Public Comments

    The Department received comments in support of the revised definition and the flexibility created to account for later technological developments. Certain other commenters raised concerns that changes to the definition could have unintended impacts when applied to the administrative transaction and code set requirements. One commenter specifically supported the change in language from “because” to “if,” noting the distinction was important to provide protection for digital audio recordings containing protected health information. One commenter suggested including the word “immediately” in the final sentence of paragraph (2) to indicate that fax transmissions are excluded from the definition of electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

    Several commenters sought clarification as to whether data that is retained in office machines, such as facsimiles and photocopiers, is subject to the Privacy and Security Rules.

    Final Rule

    The final rule adopts the definition as proposed with two additional modifications.

    First, in paragraph (2) we remove the parenthetical language referring to “wide open” with respect to the Internet and “using Internet technology to link a business with information accessible only to collaborating parties” with respect to extranets and intranets. The parenthetical language initially helped clarify what was intended by key words within the definition. As these key words have become more generally understood and guidance has become available through the NIST regarding specific key terms, such as intranet, extranet, and internet, (see, for example, NIST IR 7298 Revision 1, Glossary of Key Information Security Terms, February 2011, available at http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf), we believe the parenthetical language is no longer helpful.

    Second, we do accept the recommendation that we alter the language in paragraph (2) to include the word “immediately,” to exclude transmissions when the information exchanged did not exist in electronic form immediately before transmission. This modification clarifies that a facsimile machine accepting a hardcopy document for transmission is not a covered transmission even though the document may have originated from printing from an electronic file.

    We do not believe these changes will have unforeseen impacts on the application of the term in the transactions and code sets requirements at Part 162.

    In response to commenters’ concerns that photocopiers, facsimiles, and other office machines may retain electronic data, potentially storing protected health information when used by covered entities or business associates, we clarify that protected health information stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules. Although such devices are not generally relied upon for storage and access to stored information, covered entities and business associates should be aware of the capabilities of these devices to store protected health information and must ensure any protected health information stored on such devices is appropriately protected and secured from inappropriate access, such as by monitoring or restricting physical access to a photocopier or a fax machine that is used for copying or sending protected health information. Further, before removal of the device from the covered entity or business associate, such as at the end of the lease term for a photocopier machine, proper safeguards should be followed to remove the electronic protected health information from the media.