If you’re a HIPAA-covered entity, you probably want to use data encryption software to protect any sensitive patient data. Otherwise, when a breach occurs, you’ll have to notify a number of people: under current HIPAA regulations, it means the HHS and affected patients.
If a recent proclamation by the FTC is any indication, covered entities will have to watch out what they claim.
“Deceptive and Unfair”
Rite Aid recently settled with the FTC and the HHS on charges that it failed to protect sensitive financial, medical, and health information. It’s kind of expected, seeing how they were found dumping job applications and pharmacy labels full of personal information into your average open dumpster. The FTC and the HHS had launched an investigation after seeing on TV that Rite Aid had engaged in lax security.
So far, nothing surprising about all of this. What caught my eye, however, is the following in the FTC press release:
Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair.[My emphasis]
Yikes. That quote by Rite Aid is pretty much standard in all the breach notification letters I’ve read to date.
You might be wondering what the FTC has to do with all of this. Basically, the FTC is also supposed to get involved, per the HITECH Act, whenever there is a HIPAA breach, until a final rule is enacted.
What if Laptop Encryption was Used?
Not just laptop encryption like AlertBoot, but what if any type of tool or technology meant to protect data was used? It’s debatable, and ultimately depends on what the HHS and the FTC want to do, I guess.
We know, for example, that safe harbor–from sending breach notification letters, if a laptop is lost, stolen, missing, etc.–is granted by the HHS when protected health information is guarded with encryption software.
On the other hand, look at the list of Rite Aid’s “failures,” per the FTC press release:
Disposing of personal information,
Adequately training employees,
Assessing compliance with its disposal policies and procedures, and
Employing a reasonable process for discovering and remedying risks to personal information.
I’m willing to bet that failure to adequately comply with the above also impacted the final settlement figures. You’ll notice that the use of encryption tools would not impact the above at all.
One thing to be said about the use of encryption is that, if I recall correctly, you don’t have to contact anyone about the loss of an encrypted device: not people “affected” by the breach, not the HSS, no one. And, if you don’t alert anyone outside the business, there is no reason for the FTC or the HHS to come investigate you.
Which means that, perhaps, the use of encryption could resolve a lot of headaches, more than the technology is intended to.
I’m not too enthused about this conclusion, since proper data security requires a data security frame that includes medical encryption and other information security tools as well as the above four points (and others) detailed by the FTC.
However, if I am a company that needs to comply with HIPAA, I’d be crazy not to accept any advantages extended to me. Data security is already pretty hard as it is.
Related Articles and Sites: