The Department of Health and Human Services' Office for Civil Rights recently issued a proposed rule to strengthen several provisions of the HIPAA privacy, security and enforcement rules, as mandated under the HITECH Act.

But the rule doesn't mandate encryption of data, despite OCR's public list of large breaches of unencrypted protected health information recently surpassing the 100-incident mark since reporting of large breaches started last September.

Kate Borten, president of the Marblehead Group, a Massachusetts-based health information security consultancy, believes some type of encryption mandate was warranted in the rule. There is no alternative security equivalent to encryption for portable electronic media, she contends.

So when HITECH mandated beefing up the privacy and security rules, why didn't OCR take the opportunity to address encryption? Borten acknowledges that HITECH put a lot of regulatory issues on the table for OCR and all of HHS. "They were swamped with what had to happen." In the rule, OCR met its regulatory obligation by setting new policies in areas that were expressly addressed under HITECH, she notes. "My guess is encryption would have been a battle and since it wasn't required, it waited."

There's some truth to that, says Susan McAndrew, deputy director for health information privacy at OCR. "We believe encryption is a meaningful safeguard but not a silver bullet."

Encryption, McAndrew contends, has always been part of the security rule. As an "addressable" issue, use of the technology is to be considered to provide access control to data in transmission or storage. "In both of these environments, encryption is expressly provided for as one way you can meet those technology safeguards."

Further, "addressable" means an organization is to apply encryption unless it can demonstrate that it is not technically reasonable or financially feasible in the particular environment being considered, McAndrew explains. If encryption is not adopted, an organization must come up with an equal way of safeguarding. Health care organizations, she adds, are still dealing with a variety of environments with complex advanced information systems mixed in with lots of legacy systems. Consequently, federal regulators still need to provide latitude to organizations to make their own decisions.

Another reason that encryption was not considered in the new rule is advisory committees of the Office of the National Coordinator for Health Information Technology continue to study the issue as they prepare recommendations for future rulemaking. So, while meeting HITECH's statutory requirements was the top priority under the new rule, the absence of new requirements on encryption also reflects that there still is an evolving conversation on the issue at ONC, McAndrew says.

There's still one nagging issue--the growing number of organizations that publicly report a large data breach and wind up having encryption be one of the security improvements they subsequently make. If an organization finds encryption is technically reasonable and financially feasible after a large public breach, why wasn't the technology previously appropriate?

McAndrew acknowledges that in an OCR-overseen corrective action plan that Providence Health System agreed to implement following a large breach in TK, encryption of laptops was part of the plan. Further, OCR will be encouraging encryption as a way of satisfactorily settling investigations of organizations experiencing large breaches and appearing on the public list. Many of these organizations, she notes, have encryption policies but they weren't followed.

What's my take on the issue? I like Susan McAndrew and her team. They are fine public officials committed to improving health information privacy while searching for the right balances in a huge, complex and financially challenged industry. They and other federal officials fully understand that if HITECH's goal of significantly accelerating adoption of health information technology is to succeed, consumers have to believe that their electronic health data is safer than paper.

But an encryption mandate can't wait much longer. Incident after incident, the public breach list screams for encryption. After 100+ major data losses in nine months, providers continue to mail breach notification letters that begin, "At (insert name here) we take the privacy of your health information very seriously." The breach list has really shone the light on health information security--and the unwillingness of the industry to take basic, common sense steps to improve protection without being forced.

 

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access