HIPAA Security Rules Relating to Health and Encryption
Although the policies and procedures specified by HIPAA's security rules do not specifically call for health care information to be encrypted, government leaders including Senator Al Franken are beginning to consider whether they should. Franken, a Democrat from Minnesota, participated in a Senate hearing on May 30, 2012 at which executives from Accretive Health, Inc. posed questions about a variety of issues including a recent security breach.
The security breach in question stemmed from the fact that health care information was being stored on a laptop in unencrypted form. When this laptop was stolen, the personal identifying information of more than 20,000 individuals was compromised. The Minnesota attorney general is investigating the incident and has already filed a related lawsuit, but as experts in the IT support world are well aware, such problems are far from unusual.
In fact, as reported to the federal government, more than half of all significant breaches stem from the presence of unencrypted data on media or devices that wind up falling into the hands of unauthorized personnel. Not all such devices are stolen; lost devices and media contribute to this common security problem. According to Franken and other senators, requiring the encryption of patient data would go a long way toward providing an improved level of security.
During the Senate hearing, Franken indicated his intention to determine if new laws are needed or if the situation could be improved merely through a change in the relevant regulations. His office released a related statement, commenting that he would look over the testimony given at the hearing "to determine if legislation is needed to ensure that our laws adequately protect the health privacy and quality of care of patients." However, a Franken spokesperson made it clear that new regulations are far from imminent when he revealed that the senator "is still in the very early stages of looking into potential legislation, so we don't want to get into any specifics."
Right now, the HIPAA Security Rule does mention encryption, but the technology is required only when using it is considered to be within reason, meaning that it should be used when it will be appropriate and effective. The HITECH Act, which governs electronic health records, mentions encryption as well, but fails to issue a mandate regarding the use of the technology. Based on Franken's interest, however, the day may be coming when encryption is indeed required. Companies interested in taking proactive steps to be ready for that day should work with outsourced IT consultants who can help them explore their options.