One of the puzzling aspects of HIPAA Security Rules is that the use of HIPAA data encryption is not a requirement. Rather, it’s classified as an “addressable” issue. This means that PHI encryption is “optional” in the sense that you can opt to use something else that’s as good as encryption.
In other words, you’ve still got to protect the PHI at a level that compares to (or is stronger than) AES 128 encryption. But, in a world where you already have encryption, why would you opt for something like encryption? Especially when that alternate protection does not afford you safe harbor from the HIPAA/HITECH Breach Notification Rule?
For example, let’s say that you opt to lock up an external hard drive in safe instead of encrypting it, which could be a perfectly good way of complying with the Security Rule (I write “could” and not “would” because I don’t know whether this is true. I am unaware of HHS/OCR giving its official imprimatur on the practice).
What could go wrong, right?
Kmart Burglarized, Has Data Breach
According to lehighvalleylive.com, a Kmart in Wind Gap, Pennsylvania experienced an unusual type of data breach on January 4. A man robbed the retailer at gunpoint and,
…left with more than cash.
A bag stolen from a safe contained money and electronic media that backed up the store pharmacy’s computer system, the retailer said today.
The media contained confidential information related to customer prescriptions: names, addresses, dates of birth, prescription numbers, insurance cardholder IDs and drug names.
A relatively small number of those prescriptions may have included customers’ Social Security and/or driver’s license numbers
Kmart has already contacted affected clients about the data breach. Now, had the backup “electronic media” been protected with HIPAA-compliant encryption, the company wouldn’t have had to do that.
Nor would they face the possibility of getting sued over the data breach (which Kmart will probably be able to get summarily dismissed in the courts, if rulings over the past five years are indicative of anything).
Nor would they have to submit themselves to a HHS/OCR investigation into the incident.
PHI Encryption: The Carrot and the Stick
It’s commonly noted that HIPAA covered entities should seriously consider the use of encryption. The problem with this attitude is that it doesn’t really mesh with the spirit of HIPAA. When it comes to ePHI data security, encryption software should be the default and not the fallback option. It’s when looking to secure ePHI in some other way that one should seriously consider the ramifications.
Related Articles and Sites: