Data Encryption: New Texas Health Care Privacy Law Embraces The Use Of Cryptographic Solutions. Kind Of.
Govinfosecurity.com notes that Governor Rick Perry has signed a healthcare privacy law that goes beyond HIPAA when it comes to patient health data. Various reasons helped spur the passage of the hotly-contested bill, including the lack of HIPAA enforcement, the recent Texas-wide data breaches, and the increased exchange in health data due to the HITECH Act. Among other things, it appears that the use of encryption solutions like AlertBoot is looked favorably upon, but not as a cure-all.
The new law goes into effect on September 1, 2012.
What really stands out about this law is how they’ve changed the financial penalties for violating the law. If covered-entities in Texas don’t comply with HIPAA (a federal law) the state Attorney General is authorized to “institute an action for civil penalties” according to the newly amended sections 8(b) and 8(c) of the Texas Health and Safety Code Section 181.201:
Privacy violations are upped from $2,500 to $5,000 per violation “that occurs in one year…committed negligently”
$25,000 for each violation committed knowingly or intentionally
$250,000 for each violation where “a covered entity knowingly or intentionally used protected health information for financial gain”
$1.5 million for repeat offenders (“constitutes a pattern or practice”), plus a possible revocation of professional or institutional licenses
Needless to say, it’s pretty tough.
Does the Use of Encryption Lend Any Advantages?
Yes. Safe harbor is not granted for the use of encryption software; this does not mean, however, that there are no advantages to its use. Under subsection (b-1), it is noted that (my emphasis):
(b-1) The total amount of a penalty assessed against a covered entity under Subsection (b) in relation to a violation or violations of Section 181.154 may not exceed $250,000 annually if the court finds that the disclosure was made only to another covered entity and only for a purpose described by Section 181.154(c) and the court finds that:
(1) the protected health information disclosed was encrypted or transmitted using encryption technology designed to protect against improper disclosure;
In other words, you don’t get a get out of jail card, but the state will put a cap on damages if cryptographic solutions are used. Without the use of encryption, why, the sky is the limit when it comes to penalties assessed.
Note, though, that the law clearly specifies “encryption technology designed to protect against improper disclosure.” This seems to indicate that someone will also judge whether the encryption software used was up to par.
This is a pretty smart move. In the past, laws regarding encryption have always been controversial because an accurate definition of what encryption is — for legal purposes — couldn’t be established. The above definition puts an end to an active definition of what encryption is; at the same time, it seems to fall short from what HIPAA has done to define encryption (or, rather, strong encryption: basically, any encryption software that has been tested and approved by the NIST as strong encryption).
Related Articles and Sites: