Data Encryption Advisable but not Mandatory Under HIPAA
Healthcare organizations must take steps to prevent confidential patient health data from being viewed, accessed or used by unauthorized individuals, although current HIPAA regulations do not require healthcare organizations – or their business associates – to encrypt PHI data. However, according to the Director of the Office for Civil Rights, Leon Rodriguez, it is strongly advisable.
The HIPAA data breach rule requires healthcare organizations to report any loss of laptop or mobile device containing patient data as a HIPAA breach since the introduction of the HITECH Act (2009); however the loss is not reportable if the data on the device has been encrypted (provided the data encryption is in accordance with the guidance issued by the National Institute of Standards and Technology). According to Rodriguez, in all cases of laptop or computer theft reported to date, financial penalties would have been avoided if the data contained on the lost/stolen devices had been encrypted.
Following a data breach, HIPAA covered entities are required to notify all individuals affected by the breach. The cost of notifying all patients can be considerable, especially with large data breaches involving tens of thousands of patients; the financial penalties issued by the OCR even more so.
Last year, Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc were required to settle with the OCR following the theft of a laptop containing the records of its patients. It paid $1.5 million for the data breach, while an even larger settlement of $1.7 million was incurred by the Alaska Department of Health and Human Services (DHHS) following the loss of an unencrypted hard drive. Even relatively small data breaches can incur substantial fines, as was the case with a small Idaho hospice which was fined $50,000 for the theft of a laptop containing just 441 records. Each of these institutions could have paid as little as $150 to have the data encrypted, and by doing so would have avoided the fines.
Protecting data with passwords is better than leaving data totally unprotected; however passwords alone are insufficient to prevent thieves from accessing the data; only robust data encryption passes muster. When data is encrypted, any individual without the pass code or key will be presented with unintelligible data and PHI will therefore be rendered useless.
Data can be encrypted on hard drives, laptops or network servers but also in transit by using text encryption services and remotely connecting with databases using a secure Virtual Private Network (VPN). When these services are employed, even if the data is intercepted by cybercriminals it cannot be viewed or accessed without the pass code.
The cost of implementing encryption across all computers, laptops, servers, tablets and Smartphones used by a healthcare entity can represent a substantial cost, although much lower than the potential fines issued by the OCR for non-compliance and data breaches. Forcing the healthcare industry to encrypt data by means of legislative changes would place financial demands on healthcare organizations which could potentially affect the medical services offers, which is why the healthcare industry has objected to amendments to HIPAA enforcing data encryption.
With cybercriminals now targeting healthcare organizations due to the high value of patient data and with the situation only likely to get worse, is it is probable that data encryption will be included in future legislation changes. The message to HIPAA-covered entities is clear. You don’t have to pay for data encryption, but you will certainly be paying if an unencrypted laptop, cell phone or hard drive is stolen. Since legislation changes are also likely in the years to come, it makes sense to employ them now and be assured of HIPAA compliance.