Should encryption be a mandatory requirement of HIPAA?

From the mHealthNews archive
By Gene Fry
February 20, 2015
12:48 pm

The increased use of laptops, tablets and mobile devices by healthcare professionals has transformed the way many providers operate, giving them the freedom and flexibility to provide services even when outside of their offices. As well as being able to provide instant access to patient health records, mobile devices allow for faster communication and information gathering, better patient management and monitoring, and clinical decision-making on the go.

As the use of laptops, tablets and mobile devices in the healthcare sector continues to increase, covered entities and business associates must ensure that they are using technologies compliant with HIPAA standards. Since March 2013, organizations have been required to implement physical, technical and administrative safeguards for protecting ePHI, or risk being liable for a substantial financial penalty should a breach occur.

Under the HIPAA technical safeguards, encryption of ePHI is often regarded as a bit of a grey area. While authentication (the implementation of procedures to verify that a person or entity seeking access to ePHI is the one claimed) is a required part of the technical standards, the rules surrounding the encryption of data is confusing.

The standards regarding encryption specifically state:

  • Implementation - encryption and decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI; and
  • Transmission Security - encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

To deploy a mechanism to encrypt ePHI “whenever deemed appropriate” is relatively open to interpretation, and this is where a number of organizations have been caught out. Even with robust risk assessments in place, addressable implementation specifications must be implemented if it is “reasonable and appropriate to do so,” and therefore for any organization handling ePHI, it becomes a requirement.

With encryption expected to be one of the key areas OCR focuses on when conducting phase 2 HIPAA audits later this year, the question is, why is encryption not already a mandatory requirement of HIPAA?

The risk of not encrypting
Not encrypting is incredibly risky. Just ask Anthem, which was hacked back in January, with 80 million records being compromised, all because data at rest was not encrypted. A number of the highest fines handed out last year occurred as a result of stolen devices not being encrypted.

These fines raise the question of how encryption is viewed. Conducting a risk assessment was not sufficient to avoid penalties under HIPAA, as was demonstrated by the Concentra Health Service settlement when an unencrypted laptop was stolen.

Given that the breaches and the subsequent fines were passed under an addressable part of the technical standards, this indicates that while encryption is not stated as being required, organizations should carefully consider what the risks are of treating it as addressable.

Meeting HIPAA standards, whether required or not
To ensure that they meet HIPAA standards, organizations should be deploying encryption end-to-end. This includes encryption of ePHI at rest and during transmission between devices. It is crucial that organizations select vendors that are HIPAA-compliant, as by not doing so, there is potential to expose organizations to enormous risk of data breaches.

Secure platforms that deploy encryption when transmitting ePHI should also have administrative controls to safeguard the integrity of ePHI, with the capacity to retract messages in the event of a breach risk as well as disable a mobile device remotely if it is lost or stolen. In addition to this, all devices used to store or transmit ePHI must be password protected and encrypted.

By making encryption a required part of the standards, there would be clearer guidelines for organizations to follow, and the number of breaches may even reduce as a result. However, until encryption becomes a required standard under HIPAA, the rule to follow should be “if in doubt, encrypt.”

Gene Fry is the vice president of technology and Compliance Officer at Scrypt. He has 25 years of IT experience spanning across healthcare and an array of industries in the U.S., Argentina and other Latin America.
 

More regional news

Person speaking to healthcare provider on a tablet

Culina Health garners $7.9M to enhance virtual nutrition platform

By
Jessica Hagen
December 19, 2024
Healthcare professional in scrubs looking at a tablet

Executives reflect on 2024’s biggest surprises, part one

By
Jessica Hagen
December 19, 2024
Patient consulting with healthcare professional virtually

Wisp, Nourish partner for GLP-1s nutrition counseling for women

By
Anthony Vecchione
December 19, 2024

Top Story

Healthcare professional in scrubs looking at a tablet
Executives reflect on 2024’s biggest surprises, part one

Editor's Pick

HealthTap lawsuit alleges VC firm manipulated valuation for takeover
Q&A: Hackensack Meridian Health on its AI expenditures in 2025
Surgo Health launches Youth Mental Health Tracker backed by SHOWTIME/MTV, Melinda Gates
Hinge Health joins Amazon Health Services to offer MSK care
Staffing company Aya Healthcare acquires Cross Country Healthcare for $615M
FDA issues guidance on predetermined change control plan for AI-enabled device software functions

More Stories

Person speaking to healthcare provider on a tablet
Culina Health garners $7.9M to enhance virtual nutrition platform
Patient consulting with healthcare professional virtually
Wisp, Nourish partner for GLP-1s nutrition counseling for women
Executives at a lecture
Scripta Insights secures $17M for health plan expansion
Business people in a meeting
Promise Bio secures $8.3M in seed investment for immune-mediated diseases
Healthcare provider with a patient and their caregiver
Suki partners with Google Cloud to enhance AI-enabled voice tool
Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Business officials shake hands to close a deal
HEALWELL AI buying Orion Health for $115M
A dentist screening a person's gum using an AI-powered mobile application
The University of Hong Kong brings mobile dental AI to communities