Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
HIPAA security provisions for protecting electronic patient data not only apply to medical practices but their business associates as well.
Encryption is a method that renders data unreadable, unless the individual holds a key (password) to render the data readable. Pursuant to HIPAA, encryption is required at rest and in transit. There are many excuses that are given as to why physicians and other covered entities, as well as business associates and subcontractors, do not encrypt protected health information (PHI). Some of those factors include inconvenience, time, and expense. But, these arguments are paltry compared to the variety of options available at varying price points, as well as the breach reporting safe harbor provided by the HITECH Act. Therefore, physicians, their business associates, and subcontractors should evaluate the various encrypting options available and perform adequate due diligence on their IT providers.
According to the National Institute of Standards and Technology (NIST), "[t]here are many factors for organizations to consider when selecting storage encryption solutions, such as the platforms they support, the data they protect, and the threats they mitigate. Some solutions involve deploying various servers and installing software on the devices to be protected, while other solutions can use existing servers, as well as software on the devices to be protected, such as Federal Information Processing Standards (FIPS) approved encryption features built into the devices' operating systems." (NIST Pub. 800-111, EI). Physicians and hospitals should work closely with their IT providers to ascertain what types of encryption should be utilized at rest and in transit in relation to the following factors: (1) size, complexity, and capabilities; (2) technical infrastructure, hardware, and software security capabilities; (3) cost; and (4) the likelihood and sensitivity of the PHI. (45 C.F.R. §164.306(b)(2)). With the range of options and pricing available, there is no excuse for noncompliance. And, equal attention should be given to the deletion of e-mails. As HHS expressed, "[f]ailing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI."
In sum, it is crucial for organizations to meet the requisite NIST standards to ensure that this facet of HIPAA and HITECH compliance is met. Being proactive now can mean preventing a costly penalty later.