Executive Overview
The recent Stage 2 Meaningful Use (MU2) Proposed Rule indicates Washington’s continued
emphasis on the importance of encrypting ePHI (electronic protected health information).
This posting explains why your healthcare organization can utilize encryption both
as a means to achieve HIPAA compliance and as a strategic financial initiative.
The posting opens with a look at the structure of the HIPAA Security Rule (Security
Rule) to provide necessary context for readers with limited knowledge of its structure.
The HIPAA Security Rule’s Top-Down Framework
At its broadest level, the Security Rule is organized into 5 safeguards – administrative,
physical, technical, organizational, and policy/procedure/documentation. These safeguards
represent alternative - and sometimes supplemental - methods organizations can use
to protect ePHI. Each of these safeguards is detailed with standards that covered
entities must implement to be HIPAA compliant. These standards often have guiding
implementation specifications (specifications), which are labeled as “required”
or “addressable.”
The labeling structure could easily lead one to conclude that addressable specifications
are optional - this is incorrect! The Security Rule states that addressable specifications
are required in any situation where their implementation would be “reasonable and
appropriate.” If the situation is not reasonable, the reason must be documented
and equivalent security measures must be implemented.
A statement by NIST illustrates that this analysis will likely result in a finding
that all addressable specifications are required for many federal covered entities;
this finding will also likely apply to non-federal agencies as well.
“For all federal agencies . . . all of the HIPAA Security Rule’s addressable implementation
specifications will most likely be reasonable and appropriate safeguards for implementation,
given their sizes, missions, and resources.”[i]
The Importance of Encryption
Encryption is one of the specifications the Security Rule labels as addressable.
Do not allow your organization to diminish encryption’s importance in your compliance
framework. Continued regulatory acts have taken place in Washington since the Security
Rule’s enactment that have greatly increased the strategic importance of encryption.
1. Encryption Prevents Application of the Breach Notification Rule
In the event of an ePHI breach, HITECH added to HIPAA’s requirement’s by mandating
that the covered entity notify the affected individuals, HHS, and, in many cases,
the media. Congress provided an important exception to this reporting requirement
by defining a breach to not include ePHI protected “with the use of a technology
or methodology specified by the Secretary” so long as it “renders protected health
information unusable, unreadable, or indecipherable.” The Secretary specified encryption.[ii]
By defining breach to not include unauthorized disclosure of encrypted ePHI, the
HHS provided a powerful opportunity for organizations to limit financial exposure
to ePHI breaches – the potential financial impact from a breach of unencrypted ePHI
can be huge. The civil monetary fines from the HHS can reach into the millions.
A financial impact model recently released by an ANSI workgroup evaluated a hypothetical
that resulted in a cost of over $25,000,000 for a major New York hospital from the
loss of a magnetic tape containing 854,000 patient records.[iii] Clearly the model imagined a worst-case type of a
scenario, but the costs from legal fees, training expenses, loss of reputation,
and so on, can add up quickly.
Moreover, the likelihood of your organization experiencing a breach is greatly reduced
by the implementation of encryption. A recent study by the HHS found that almost
forty percent of “large breaches” resulted from “lost or stolen devices.” If the
ePHI on the devices had been encrypted, the data would have been secure and no breach
would have occurred. The increasing prevalence of mobile devices will make this
likelihood even higher. One organization learned the hard way that “mobile” is a
relative term when a workstation became mobile after a thief smashed a window and
ran off with over 4 million patient records.
Keep in mind that depending on the circumstances of the breach your organization
may still have obligations under other federal or state laws (46 states currently
have breach notification laws).
2. Stage 2 Meaningful Use Proposed Rule Indicates HHS’s Strong Stance on the Benefits
of Encryption
HHS’s recently published MU2 further indicates the continued push Washington has
made towards advancing encryption and provides further reason for organizations
to make efforts to understand the benefits of encrypting ePHI. MU2’s HIPAA risk
analysis requirement distinguishes itself from Stage 1 by specifically calling out
encryption. MU2 requires organizations to attest to a risk analysis that considers
whether encryption of “data at rest” and “data in motion” is reasonable and appropriate.
HHS’s oversight role for HIPAA compliance audits is a reason to take note of encryption’s
mention. Although the law hasn’t changed, the focus indicates it’s wise to make
sure you evaluate whether encryption is appropriate in all ePHI settings. Simply
encrypting may provide more certainty than attempting to figure out what an “equivalent”
measure is.
Conclusion
Washington’s next step may very well be to make encryption explicitly required for
all covered entities. Nevertheless, it should already be required by management
for implementation at nearly all healthcare organizations. The HHS’s focus and the
magnitude with which financial risk can be reduced demand this approach. It’s for
these reasons that your organization should make encryption a mandatory piece of
its financial risk management program.
Matt Wimberley
Consultant, Strategic Advisory Services
MattWimberley@SantaRosaConsulting.com
[i] NIST Special Publication 800-66, An Introductory Resource
Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)
Security Rule.
[ii] The Secretary requires encryption meet standards developed
by NIST and FIPS.
[iii] ANSI, The Financial Impact of Breached Protected Health
Information: A Business Case for Enhanced PHI Security (2012).