Share this article on:
Since January 1, 2015, HIPAA-covered entities have reported 102 cases of loss or theft of unencrypted devices to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have exposed the ePHI of more than 1.5 million individuals and could have been prevented had data encryption been employed.
The Health Insurance Portability and Accountability Act (HIPAA) does not require covered entities to use data encryption on portable devices used to store ePHI. Encryption is an ‘addressable’ issue, not a ‘required’ element. (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii))
This does not mean encryption can simply be ignored. HIPAA requires all covered entities to perform a comprehensive, organization-wide risk assessment (45 CFR § 164.308(a)(1)(ii)(A)). The purpose of the risk assessment is to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a HIPAA-covered entity.
If, after performing a risk assessment, a covered entity determines that data encryption is not a reasonable and appropriate safeguard for risk management, and another “equivalent alternative measure” has been implemented to safeguard ePHI, this is perfectly acceptable under HIPAA Rules. However, the covered entity must document the reasons why encryption was not implemented and the measures that have been used in its place.
HIPAA defines data encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304).
Covered entities should not that not all methods of encrypting data are equal. In order to comply with HIPAA Rules, a method of encryption should be used that has been tested by the National Institute of Standards and Technology (NIST) and determined to provide an adequate standard of protection – AES or Triple-DES for example.
While the use of data encryption on desktop computers within an organization may not be deemed necessary by an organization, for laptop computers and portable storage devices which are routinely taken off-site it is much harder to justify why encryption is not a reasonable and appropriate safeguard.
Unless other technology is used that renders data unusable, unreadable, or indecipherable to unauthorized individuals in the event of a laptop or other portable device is lost or stolen, healthcare organizations are not only risking the exposure of ePHI, but also a sizable HIPAA violation penalty. Covered entities should not that the use of passwords to prevent access is not a suitable substitute for data encryption.
As we have already seen, OCR is not averse to fining healthcare organizations for failing to safeguard ePHI. This year, 12 organizations have arrived at settlements with OCR to resolve HIPAA violations discovered after PHI has been stolen or exposed to individuals unauthorized.
In August this year, OCR agreed to settle with Advocate Healthcare for $5.55 million. Numerous violations of HIPAA Rules were discovered following a series of reported breaches, hence the considerable settlement. One of the violations was the failure to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
The failure to secure ePHI stored on an iPhone also resulted in a fine for Catholic Health Care Services of the Archdiocese of Philadelphia this year. The HIPAA business associate agreed to pay OCR $650,000 to resolve the case.
In September, 2015, Cancer Care Group, P.C. agreed to settle potential HIPAA violations following the theft of unencrypted backup media from an employee’s car. Cancer Care Group agreed to pay OCR $750,000 to resolve the violations.
Many healthcare organizations only make the decision to use data encryption after experiencing a data breach. However, the use of data encryption can prevent patients ePHI from being exposed and allows organizations to avoid HIPAA penalties and the considerable fallout from data breaches.