Encrypting HIPAA-covered data is not mandatory. The Health Insurance Portability and Accountability Act does cover the use of encryption to safeguard the protected health information of patients and health plan members, but encryption is only an addressable issue. However, that does not mean that encryption can simply be ignored.
HIPAA-covered entities are required to conduct a risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI. Following the risk analysis, HIPAA-covered entities must decide how best to manage and mitigate risks. Once such measure is the use of encryption technologies to safeguard ePHI at rest and in motion.
HIPAA-covered entities must consider the use of encryption; however, an alternative safeguard can be adopted if it provides an equivalent level of protection. If encryption is not used to protect ePHI and an alternative is selected, the decision process must be documented. In the event of a HIPAA compliance audit or OCR investigation, the documentation will need to be supplied to regulators.
Encryption is one of the best safeguards to prevent the theft of ePHI. In fact, if a portable device containing the ePHI of patients is lost or stolen and the data on the device are encrypted, the incident does not need to be reported to the Department of Health and Human Services’ Office for Civil Rights.
The importance of encrypting HIPAA-covered data has recently been highlighted by a security incident reported by Denton Health Group. Denton Health Group, which is part of the HealthTexas Provider Network, recently discovered that a portable storage device had been stolen.
The device was used to store backup data from the Health Group’s EHR system. The data stored on the device included a wide range of ePHI including names, addresses, phone numbers, Social Security numbers, Driver’s license numbers and other personal information of patients. The device was discovered to be missing on January 11, 2017, and an internal investigation suggests the device was stolen around December 29, 2016. The storage device contained backups dating back 7 years.
While the device was physically secured in a locked closet, the data on the device were not encrypted. Consequently, the ePHI of patients could potentially be accessed by the person who stole the drive.
Had the data on the device been encrypted, there would be no risk of the information being accessed by unauthorized individuals, no need to report the incident to OCR, and no need to notify patients of the security incident. The cost of issuing notifications and providing credit monitoring and identity theft protection services could have been saved and Denton Health Group would have avoided a HIPAA investigation. OCR investigates all breaches of more than 500 records and can fine healthcare organizations if serious HIPAA violations are uncovered.
The incident underscores just how important encrypting HIPAA-covered data is, yet many healthcare organizations have not yet implemented encryption technologies to protect ePHI at rest.