According to breaking news from healthdatamanagement.com, the Final Rule on PHI protection “will not include a mandate for encryption of protected health information.” In other words, the use of disk encryption software like AlertBoot won’t be required even if your portable computer holds a spreadsheet with Medicare details for millions of people (although, under such circumstances, you really should).
Good Thing? Bad Thing?
I don’t know if this is a good or bad decision. Like many people, I’d like to see organizations using more encryption software, and not because I work for a disk encryption company. It just seems to me that when it comes to sensitive data, the use of encryption is a pretty good idea.
Plus, when you take a look at breached entities’ actions, you know they think it’s a good idea, too: after going public with a data breach involving patient information, a medical organization will also proclaim in the same breath that they’re concerned about patient privacy, patient data security, and that they’ve recently updated their security practices and policies….including the use of encryption on previously unprotected devices. Why would they do that if they didn’t think encryption worked?
Stating that it’s because of HIPAA/HITECH and safe harbor from the Breach Notification Rule doesn’t hold water…encrypting data you have after the breach doesn’t grant you safe harbor for the one that just took place.
(Let me clue you in on an open secret relating to encryption programs: they only work when they’re installed prior to a device being stolen. No, no — really. I’m pretty sure this must be esoteric knowledge; otherwise, how can you possibly have so many organizations installing encryption after they’ve experienced a breach? (Yes, I’m being sarcastic)).
So, I want to emphatically say “yes” to required encryption.
On the other hand, the term protected health information (PHI) is very broad. X-rays of your femur? PHI. Pictures of a melanoma growing from the tip of your nose (just the melanoma and not your face)? PHI. Colonoscopy video clips — where it shows every nook and cranny of your colon (which, incidentally, looks pretty much the same for all people)? PHI. I mean, does anyone really think that the loss of such data is such a tragic event that it would require cryptographic software that won’t allow unauthorized people from accessing the data for the next century or so?
In that respect, the pending ruling is good – you have people decide how much security is required given a set of data.
The above pronouncement (granted, which still needs to be announced officially) is something of a vindication for me.
In this blog, I have often noted that HIPAA-covered entities would strongly want to choose using encryption over something else (like a cable lock. Which doesn’t always turn out well, as we saw in yesterday’s post). At the same time, I noted that encryption is not required, just strongly encouraged. In fact, so strongly encouraged that it almost feels like it’s required; however, encryption is never labeled as a requirement under HIPAA, only as an “addressable” security measure.
The above observation just doesn’t sit well with some people. I have been called to task by numerous professionals, letting me know that I’m wrong and that I might want to change my stance because they know that encryption is a requirement.
It really isn’t a requirement. But it’s a seriously good idea.
Related Articles and Sites: