The Alaska Department of Health and Human Services (DHSS) — AK’s Medicaid agency — has agreed to settle all HIPAA violation charges for $1.7 Million. It is, by certain accounts, the second largest HIPAA fine in history and most definitely the first against a state agency. All of it could have been avoided with the simple use of a disk encryption software program like AlertBoot.
USB Disk, Car at the Heart of the Breach
Around October 12, 2009, a USB hard drive that contained electronic protected health information (PHI) was stolen from a DHSS computer technician’s car. The data breach was promptly reported to the US Health and Human Services Department, Office for Civil Rights (OCR). The OCR started investigating the Alaska DHSS in January 2010.
The investigation led the OCR to conclude that Alaska DHSS failed in several areas:
Did not complete a risk analysis;
Did not implement sufficient risk management measures;
Did not complete security training for DHSS workforce members;
Did not implement device and media controls; and
Did not address device and media encryption.
What HIPAA Requires
Not all of the above are actions required under HIPAA. For example, the last point, the use of encryption software is an addressable issue, not a requirement. That is, a HIPAA-covered entity has the choice of using encryption or something else to protect PHI. The HHS clearly lets everyone know that you’re not required to use data encryption tools to protect PHI:
Is the use of encryption mandatory in the Security Rule?
No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.
The caveat to not using encryption, though, is that, basically, if you don’t use encryption you have to provide some other method of securing PHI. For example, perhaps you’ll weld a completely thief-proof strongbox to an employee’s car, to be used whenever an unencrypted laptop is transported by the employee.
That solution, though, is crazy. The use of disk encryption is much more advantageous when you consider the time, expense, and vulnerabilities of using the welded strongbox over the use of encryption. In a sense, the use of encryption is the minimum you can do in terms of PHI protection.
Related Articles and Sites: