Like many practices, staff at the Hospice of Northern Idaho (HONI) didn't intend to have a laptop containing easily accessible protected health information stolen. But when it happened, the small medical organization was asked to pay a $50,000 settlement fee — even though only 441 of its patients had protected health information exposed.
In addition to blasting out a press release in December that called HONI's payment "the first settlement involving a breach of unsecured electronic protected health information affecting fewer than 500 individuals," HHS Office for Civil Rights Director Leon Rodriguez had another message for small practices: Encrypt your data to make it unreadable, and you'll be in line with key HIPAA privacy and security regulations.
"There are a whole lot of breaches being reported in small and large practices," says Sharona Hoffman, professor of law and bioethics and co-director of the Law-Medicine Center at Case Western Reserve University School of Law in Cleveland. "If you're seeing more media coverage, it's because the government is being more aggressive about enforcement."
The problem: Most docs don't have an IT degree, and don't know the first thing about encryption, though it will become more important in the scheme of things.
Here's what your practice needs to know about encryption, in layman's terms, why it's important, and how to go about encrypting data.
Encryption: The basics
Encryption is the conversion of data into a form, often called ciphertext, which cannot be understood by another party — man or machine — without being decrypted first. There are many types of encryption available that offer different levels of protection. The process of encryption is typically done by software programs that apply algorithms to the original data to scramble it into a new form.
Because algorithms are frequently changed on a timely basis, not only do you have to have the algorithms themselves, you have to have a "key" that tells you which algorithm to use and how to use it to decrypt your data. So if someone "cracked" the encryption software yesterday, it may not help them today because today's algorithm has a different key, notes Marion Jenkins, executive vice president of Denver, Colo.-based IT firm 3t Systems.
Keys come in many forms: They can be tangible (a key fob that generates new algorithms at specific time intervals), or intangible (residing in an internal software program that is accessible via a password-protected interface).
And while the category of healthcare IT security is laced with big ideas and complex vocabulary, encryption is important because the HIPAA Security Rule is pretty specific about using it to make data unreadable, and thus keep it protected.
In January, HHS moved forward to strengthen the privacy and security protections for health information established under the 1996 HIPAA law.
The final omnibus rule, based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, greatly enhances a patient's privacy protections, provides individuals new rights to their health information, and strengthens the government's ability to enforce the law. Under the rule, electronic protected health information (ePHI), whether at rest (e.g., on a server) or in transit (e.g., through e-mail), must be encrypted. If it is, even in the event of a security breach, a covered entity will not have to notify patients of the breach nor pay up to $1.5 million in fines.
And while encryption is not 100 percent fool-proof (nothing is), it strongly decreases the likelihood of patient data being sabotaged, says Jenkins.