Healthcare providers should consider whether their handling of electronic protected health information (ePHI) meets the security standards of the Health Insurance Portability and Accountability Act (HIPAA), particularly when it comes to encrypted email.
Encryption has become a common industry safeguard for ePHI and is considered an addressable standard. “Addressable” simply means the standard is so accessible to most covered entities they would need to document why they didn’t adopt the safeguard if they choose not to and explain what procedures they have adopted instead.
According to a June 2012 Hitech Answers article by Matt Wimberley, encryption is such a trusted security feature that although the HITECH act mandated that ePHI data breaches must be reported to the Department of Health and Human Services (HHS), affected individuals, and often, the media, encryption changes the rules.
“Congress provided an important exception to this reporting requirement by defining a breach to not include ePHI protected ‘with the use of a technology or methodology specified by the Secretary’ so long as it ‘renders protected health information unusable, unreadable, or indecipherable.’ The Secretary specified encryption,” Wimberley wrote in “Encrypting ePHI to Achieve HIPAA Security.”
While most covered entities and business associates, like CIPROMS, use encrypted email to transmit ePHI, if the recipients of those messages then download or cache the ePHI on a non-encrypted hard drive, the data is no longer protected up to the addressable standard. This is where many providers may become non-compliant.
“If [covered entities] don’t encrypt (which would be a bad choice as it is [the] only viable way of avoiding very bad and expensive consequences in the event of a breach), they would have to explain in their risk analysis why it’s not feasible and what alternate mechanism they have in place to protect the data,” said Michael Dayton, CIPROMS Compliance Officer.
“It is my opinion that HHS will, at some point, require it. Since the original Security Rule went into effect, there have been [so] many free or very inexpensive encryption solutions put out there. And given the horrific fines and penalties being levied for breaches of unencrypted data, not encrypting is now being viewed as malfeasant,” Dayton added.
The simple solution? Updated security policies, technology features, and practice procedures limiting the circumstances for downloading ePHI.
“Part of our clients’ compliance plans should be that if they access any PHI, it can only be downloaded on an encrypted disk and may not be cached,” said CIPROMS CEO Cheryl Louks.
Apart from encryption, the other technical safeguards for ePHI include access control, unique user identification, and emergency access procedures, all of which are required safeguards. The other addressable standard, along with encryption, is an automatic logoff.
For more information, review the HHS Summary of the HIPAA Security Rule.
— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at firstname.lastname@example.org. Photo by Jeremy Segrott via Flickr used with permission under the Creative Commons License.