HIPAA encryption software: Despite its many benefits, it’s not uncommon to find people who are not taking advantage of the safe harbor it offers. For example, Larsen Dental Care – in Pocatello, Idaho – has posted a notice alerting its patients of a stolen external hard drive. Such a move would have been unnecessary if said device had been protected with hard drive encryption.
Implement an Equivalent Alternative Measure
According to the letter, the breach occurred on March 24, 2014. The hard drive was stolen from an employee’s car, exposing names, addresses, dates of birth, email addresses, phone numbers, dental records, medical histories, health insurance IDs, and SSNs.
How did Larsen Dental Care know what was stolen? They don’t give details but do mention that a “forensic analysis” was conducted. In all likelihood, they looked at the information that was last copied to the external hard drive and possibly took at the contents of the last backup as well. The problem with such an approach is that there’s always the risk that something was left out.
Which is why any electronic device that holds PHI should be encrypted. It’s a well-known fact that, under HIPAA, the use of encryption is not a requirement. What’s less known, though, is that the rules require that a covered entity do the following:
- Investigate whether encryption is an appropriate solution for protecting PHI (it rarely isn’t),
- In the (rare) occasion that encryption is not an appropriate solution, the HHS notes that one must (1) document the reason for not using encryption and (2) “implement an equivalent alternative measure“.
When put in this light, I think most people would agree that this is a classic case of “heads I win, tails you lose” or being asked to choose between resigning and getting fired. The choices given are anything but: even if you decide not to use encryption, you must implement something equivalent to the protection that encryption affords.
Some people don’t interpret it this way, though. They see the word “addressable” and think it means “optional”…which is not wrong. However, the options are pretty limited: where can you find an alternative that would:
- Take the FBI at least one year of trying to crack, if they get lucky?
- Cost at least thousands of dollars to overcome said security?
Why Choose the (Worse) Alternative Option?
But why employ an equivalent alternative measure when encryption is already available? Well, as it turns out, cost tends to be the determining factor in most cases.
But, there’s something to consider here: the alternative to encryption doesn’t provide safe harbor benefits from the Breach Notification Rule. In addition, it’ll probably be more expensive than encryption to implement, if it truly is equivalent to encryption. It’ll probably be more cumbersome to implement. And, it will cost more to maintain and operate.
What will happen to Larsen Dental Care? Chances are, not much. An online search shows that there are 123 listings for dentists in Pocatello, so those concerned with data security will probably go to the competition. Most won’t, though: in my experience, once you find a dentist that you love, you stick by him or her, and the testimonials on Larsen’s website show that it’s a fine dental care establishment.
On the other hand, who knows? The HHS is ramping up their audits on covered entities this year. It’s a potential business risk that many try to avoid by lowering the risk of a data breach.
Related Articles and Sites: