We welcome this guest blog by Gene Fry, Compliance Officer, Scrypt, Inc.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage, accessing and sharing of PHI, whereas the HIPAA Security Rule outlines the security standards which protect health data created, received, maintained or transmitted electronically; known as electronic protected health information (ePHI).
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as a supplemental act in 2009, and was formed in response to the improvements and increase in health technology development, and the increased use of ePHI. Transmission Security is required of HIPAA compliant hosts to protect against unauthorized public access of ePHI; however, both authentication and encryption are stated to be addressable, rather than required. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.
Confusion around some of the items classified as addressable within these technical standards, especially around encryption, increases the risk of fines for organizations that choose not to address these standards. Fines are very likely to be handed to organizations should they experience a data breach as a result of not using encryption, even if a risk assessment is in place. Encryption is expected to be one of the key areas OCR focus on when conducting phase 2 HIPAA audits later this year.
Using Technology to Comply with HIPAA
Mechanisms exist to meet the requirements of the HIPAA safeguards, starting with use of a HIPAA compliant network hosting provider. HIPAA compliant networks must have robust firewalls in place to protect an organization’s network from hackers or data thieves. Secure platforms are required for all organizations that transmit ePHI. These platforms should deploy encryption when transmitting ePHI, and have administrative controls to safeguard the integrity of ePHI. These platforms should also have the capacity to retract messages in the event of a breach risk and be able to remotely remove a mobile device from the system if it is lost by its owner, stolen or otherwise disposed of. In addition to this, all devices used to store or transmit ePHI, such as laptops and mobile devices, should be password protected and encrypted.
The Ramifications of Failing to Encrypt
Since 2012, the U.S. Department of Health and Human Services (HHS) has issued large monetary fines for violations of the HIPAA Privacy Rule following the introduction of HITECH. Some of its biggest fines have been due to lost or stolen laptops which were unencrypted. In April 2014, Concentra Health Services were fined $1,725,220 to settle HIPAA Privacy violations which occurred after an unencrypted laptop was stolen from one its offices. Some organizations may wrongly conclude that encryption is technically not required in all cases under the HIPAA Security Rule, as it is an “addressable” standard under HIPAA, meaning that it is required only where reasonable and appropriate based on a risk assessment. However, these fines raise the question of how encryption of mobile devices containing ePHI is viewed. It is clear from the Concentra Health Service settlement that conducting risk assessments is not enough to avoid penalties under HIPAA. Rather, the risks identified in the assessment must be addressed completely and consistently. Using encryption of ePHI during transmission is another important consideration organizations need to assess when completing risk assessments. When transmitting data between devices, it is crucial that organizations select a vendor that is HIPAA compliant – without doing so, there is potential to expose organizations to enormous risk of data breaches.