HIPAA and EHR Incentive Program Meaningful Use Stage 2 Encryption: Encrypt Or Document.

According to a December 2012 report by the Health Information Management and Systems Society (HIMSS), HIPAA-covered entities “should start paying more attention to encryption of personal health information (PHI).”  This is not exactly news: using software like AlertBoot, to encrypt medical laptops that contain PHI, has always been a top recommendation.  But, it appears that the “Meaningful Use Stage 2” rule of the Medicare and Medicaid Electronic Health Records (EHR) Incentive Programs are also requiring the same.

Encryption Not Necessary…But a Caveat

The site informationweek.com has this excellent summation of the HIMSS reasoning (my emphases):

As in MU Stage 1 [Meaningful Use Stage 1], providers must conduct a security risk analysis [in MU Stage 2]. But now they must also “address” the encryption of data stored in their certified EHRs. That doesn’t mean they have to encrypt the information on all end-user devices, but they must “implement security updates as necessary and correct identified security deficiencies,” the Meaningful Use rule says. So if they don’t use encryption, they must document their reasons and explain what alternative security methods they’re using, according to the HIMSS paper.

As I mentioned before, this is not exactly news.  The “addressability” of the use of encryption (or, rather, the lack of it) has always been a notable if ignored provision where electronic PHI (protected health information) has been concerned.  For example, I’ve noted that HIPAA/HITECH does not require the use of encryption, but if covered entities do use it, they must use strong encryption.  The “optional” status of encryption was further confirmed when the final HIPAA Privacy Rule was passed on encryption requirements.

“Addressable” Means You Must Document It.  Encryption is Easier

The fact that encryption is not required doesn’t mean one can just ignore it.  The covered entity must prove that it has given some though to the use of encryption, and state its reasons why it has opted not to do so.  In other words, you have to run a security review.  This is especially true if you are looking to obtain HER incentives.  But even if there weren’t any financial motivations, data breaches alone would still be a huge incentive for using encryption software (my emphases):

The HIMSS report notes that the average cost of a lost or stolen record to a healthcare organization is over $200. “So for a breach of 200 records, the impact to the organization of a single lost or stolen laptop is likely to be over $40,000.” And that doesn’t include legal and regulatory impacts, including potential fines. [informationweek.com]

With such numbers being batted around, not using encryption is one of those “pennywise and pound foolish” actions an organization can take.  So, why do people engage in such behavior?

Given the severity of the consequences, why don’t more healthcare organizations encrypt all their data? “Anecdotally, it’s the cost of encryption technology and also a lack of ability to implement it,” Gallagher explained. “Many smaller physician offices and community hospitals don’t have anyone on staff who knows how to load the software and encrypt data on the network and on portable devices. And until recently, there was no push for it. It was easy to say, ‘it’s too expensive or too hard.'”[informationweek.com]

If that’s what’s preventing one from using disk encryption on their laptops, it’s a problem no more.  The AlertBoot cloud-based encryption service provides an easy and effective way to encrypt and manage laptops, and it can be done without (1) IT staff and (2) bucket loads of cash.  Find out more by visiting us.

Related Articles and Sites:

Comments (0)

Let us know what you think