Download the white paper "Achieve Safe-Harbor Status from HITECH Act Breach Notification" to learn more about encyption and key management best practices.
Many of my physician friends tell me how hard it is to get people to follow their health advice. They have conversations every day like this:
Doctor: You should quit smoking.
Patient: But I don’t want to. It’s hard. It’s uncomfortable.
Doctor: OK. But it is going to make you sick, and you are going to wish you did.
I think I understand their frustration. Here is a conversation I have on a regular basis with Covered Entities who need to comply with the data security requirements of HIPAA and the HITECH Act:
Me: You should really encrypt patient information (Protected Health Information, or PHI).
Covered Entity: But I don’t want to. It’s hard. It’s confusing. I have other things to do.
Me: OK. But it is going to really hurt when you have a data breach, and you are going to wish you did.
The Department of Health and Human Services (HHS) just released an update to it’s meaningful use policies about encrypting patient information. They took pains to say that they weren’t revising the rules, and encrypting patient data is not a mandate. But they also took pains to say that you REALLY, REALLY should be encrypting that data.
And they made one thing perfectly clear: The only way to avoid the data breach notification requirement, and potential fines, is to encrypt the data. Even though there is no mandate to encrypt the data, you are really going to wish you did if you have a data breach. And with small and mid sized entities increasingly the target of attacks, it is a good time to address the problem.
Here are pointers to the relevant HHS guidance documents, and a plain language interpretation of what they mean:
From this web site and this document, you can read about the encryption recommendation that says (emphasis added):
“Therefore, if a covered entity chooses to encrypt protected health information to comply with the Security Rule, does so pursuant to this guidance, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification because the information is not considered ‘‘unsecured protected health information’’ as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals. On the other hand, if a covered entity has decided to use a method other than encryption or an encryption algorithm that is not specified in this guidance to safeguard protected health information, then although that covered entity may be in compliance with the Security Rule, following a breach of this information, the covered entity would have to provide breach notification to affected individuals.”
Interpretation: You should really encrypt that data, and it is going to hurt if you don’t.
Now that we have that part clear, what kind of encryption do you need? Here is the guidance on encryption:
“Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”
Interpretation: Use industry standard encryption (AES, for example) and don’t store encryption keys on the computer with the data. If you ignore this advice, it is going to hurt.
Of course, doctors and health administrators do not write the EMR and patient management systems that they use, so what can they do? Here are three suggestions:
- When selecting software to manage your practice (hospital, clinic, pharmacy, etc.) insist that the vendor include encryption of patient information. This must not be optional or some feature that will be added in the future.
- When selecting software that encrypts patient information, insist that encryption keys be stored on devices designed to protect them. These should be encryption key management hardware security modules (devices) with a NIST certification to FIPS 140-2. This should not be optional or something that will be added in the future.
- If you already have software that doesn’t do encryption, start asking your vendors why they are not protecting you from a data breach. Ask them if they will pay the fines and costs of a breach. Ask for a date certain when they will provide the level of data protection that you need.
Learn more about encryption and key management best practices for HIPAA and HITECH Act in our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification".