The Security Scrutinizer with Howard Anderson

Encryption: No Mandate So Far

Encryption: No Mandate So Far

Some healthcare information security professionals long for the day when they can go to their bosses and say, "This regulation requires us to use encryption." That would make it much easier to win budgetary support. But that day has not yet arrived.

A recently announced proposal to modify the HIPAA privacy, security and enforcement rules, as required under the HITECH Act, does not mandate the use of any specific security technologies. (The original HIPAA security rule strongly encourages the use of encryption but doesn't explicitly require it either.)

A final rule describing how hospitals and physicians must meaningfully use electronic health records to qualify for the voluntary Medicare and Medicaid EHR incentive program also stops short of an encryption mandate.

Under that rule, hospitals and physicians must "protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities." But those capabilities are not specified.

A companion rule that sets standards for EHR software eligible for the incentive program requires that the software includes specific encryption capabilities.

Plus, the HITECH Act breach notification rule states that those organizations that encrypt data do not have to notify anyone about breaches of that data, which is a powerful encryption incentive.

Need another powerful incentive? A majority of the major breaches reported to federal authorities so far have involved the theft or loss of unencrypted devices or media.

But still, a clear-cut "you must encrypt" mandate would certainly make it easier for security professionals to win funding for the widespread use of encryption in their organizations.

Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights, says any encryption mandate would require a new, formal federal rulemaking process, complete with a comment period.

When Congress passed the HITECH Act as part of the massive economic stimulus package, it did not include any language calling specifically for any security technology use mandates. So new mandates can't be slipped into the final version of the HIPAA modification proposal, she says.

McAndrew says federal regulators in various agencies are continuing to consider the security questions to be addressed in future rules for the EHR incentive program.

Meanwhile, Tony Trenkle, director of the Centers for Medicare & Medicaid's Office of E-Health Standards and Services, stresses the need for healthcare organizations to conduct risk assessments, as now required both under the original HIPAA security rule and the new EHR incentive "meaningful use" rule. "Conducting or reviewing a security risk assessment is a meaningful use core objective, he notes. And a risk assessment could point to the need for encryption to address specific risks.

When it comes to security requirements, federal regulators don't want to be "so prescriptive as to eliminate advances in technology or to point to only a single firm's technology," says Dan Rode, vice president of policy and government relations at the American Health Information Management Association.

Plus, encryption raises some sticky issues, he notes. For example, if a doctor provides a patient with an encrypted copy of records, does he have to explain how to decrypt the information? "If everyone used the same type of patient portal, it might make it easier," Rode says.

Kate Borten, president of The Marblehead Group, says it's reasonable for federal regulators to at least mandate using encryption on portable devices and for data traversing the Internet "because of the heightened risk."

So what do you think? We'd like to hear from you.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.