Federal Officials to Explore HIPAA Rules on Data Encryption

On Friday last week, a day after Anthem Inc., announced the largest ever reported HIPAA breach, the Senate Health, Education, Labor and Pensions committee announced that the healthcare IT security is to be addressed and that it will “take up the matter as part of a bipartisan review of health information security”. The AP reports Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn, as saying “We will consider whether there are ways to strengthen current protections.”

Last year saw major data breaches at Sony Pictures and Target which exposed highly sensitive information about employees and customers, while the healthcare industry was hit with a number of breaches including the successful hacking of Community Health Systems in April and June, in which 4.5 million patient records were exposed. The latest incident is on an unprecedented scale in healthcare, having affected up to 80 million individuals.

The latest breach confirms the FBIs warning of increased attacks on healthcare organizations. Hackers are targeting organizations for the data they hold and the relative ease at which that data can be obtained. The threat is clearly not going away and it is up to the healthcare industry to improve data security to protect all healthcare and personal data that it holds.

At present, some areas of privacy and security are voluntary under HIPAA Rules and are left to the judgment of each covered entity. The Senate Health, Education, Labor and Pensions committee will have to decide whether that needs to change.

Whether Anthem Inc., had implemented sufficient measures to protect data, as required by HIPAA legislation, is a matter for the Office for Civil Rights to determine. The insurer had elected not to use full-disk encryption of its data, although according to a spokeswoman for the company it did employ encryption for data in transit.

Last week the insurer confirmed that no health information had been obtained by the hacker(s), although this does not mean that HIPAA rules have not been breached. On Friday the Department of Health and Human Services’ Office for Civil Rights released a statement on the issue, amid media speculation as to whether the hack and theft of data constituted a HIPAA breach.

HIPAA Privacy and Security Rules apply to Protected Health Information, which includes diagnoses, treatments, treatment codes, prescriptions and doctor’s notes, none of which were reportedly stolen. However, HIPAA also requires Personal Identifiers to be protected, of which the breach exposed many.

The OCR explained in its statement that “The personally identifiable information health plans maintain on enrollees and members — including names and Social Security numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed.” As such it is “treating the case as a privacy law matter.”

The OCR announced that it had yet to receive a breach notification from the insurer although under the HIPAA Breach Notification Rule Anthem has 60 days before it has to notify the HHS.

Calls for HIPAA Legislation to Include Mandatory Data Encryption


Such a large scale data breach raises a number question about the level of security used to protect healthcare data and personal information and such as whether HIPAA legislation goes far enough to ensure privacy. The huge data exposures affecting the retail and entertainment industries in recent months clearly demonstrate the danger posed by hackers.

The Health Insurance Portability and Accountability Act was amended to protect electronic health records and personal identifiers with the introduction of the Security Rule, yet serious data breaches are still occurring. There are clearly gaps in HIPAA legislation and one of the main areas is data encryption.

Under HIPAA Rules, data encryption is an addressable issue, but it is not mandatory. If an organization considers data encryption, but decides that it can implement other security measures to safeguard the data it holds, it is entitled to do so.

According to a report released by Forrester Research in September 2014, only 59% of healthcare organizations had implemented full-disk encryption or file level encryption on computers at work. This figure includes partial data encryption, such as when data is sent electronically but not when it is stored.

There are negatives to data encryption. It is not necessarily infallible and human error can easily allow unauthorized users to gain access to protected data. The cost of implementing encryption is high and it has potential to slow down information flow, which can have an impact on patients.

Increased Legislation or More Rigorous Policing?


In Obama’s State of the Nation speech last month he spoke of the increased threat posed by hackers and informed the nation that cybersecurity is one of his top priorities. His address was not specific to the healthcare industry, but he did call for federal legislation to improve freedom of information to help the security agencies protect the nation from hackers and to shorten of the breach reporting period and bring together the various different state laws.

A breach the magnitude of that at Anthem raises the issue of whether data encryption should be mandatory rather than voluntary. The latest breach suggests that there were HIPAA violations at Anthem and action could have been taken to prevent the breach.

Should this prove to be the case, legislation changes may not be the answer. Healthcare organizations must get better at assessing security risks and implementing the appropriate risk management strategies, while the OCRs proposed permanent audit program could be used to ensure that the industry is implementing the necessary security measures appropriate to current threats.

Should legislation changes be warranted, they cannot be expected in the short term. The current chair of the HIMSS Privacy and Security Policy Task Force, Mac McMillan, believes little will happen before the next presidential election.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.