Encryption: No Mandate So Far
A recently announced proposal to modify the HIPAA privacy, security and enforcement rules, as required under the HITECH Act, does not mandate the use of any specific security technologies. (The original HIPAA security rule strongly encourages the use of encryption but doesn't explicitly require it either.)
A final rule describing how hospitals and physicians must meaningfully use electronic health records to qualify for the voluntary Medicare and Medicaid EHR incentive program also stops short of an encryption mandate.
A 'you must encrypt' mandate would certainly make it easier for security professionals to win funding for the widespread use of encryption in their organizations.
Under that rule, hospitals and physicians must "protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities." But those capabilities are not specified.
A companion rule that sets standards for EHR software eligible for the incentive program requires that the software includes specific encryption capabilities.
Plus, the HITECH Act breach notification rule states that those organizations that encrypt data do not have to notify anyone about breaches of that data, which is a powerful encryption incentive.
Need another powerful incentive? A majority of the major breaches reported to federal authorities so far have involved the theft or loss of unencrypted devices or media.
But still, a clear-cut "you must encrypt" mandate would certainly make it easier for security professionals to win funding for the widespread use of encryption in their organizations.
Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights, says any encryption mandate would require a new, formal federal rulemaking process, complete with a comment period.
When Congress passed the HITECH Act as part of the massive economic stimulus package, it did not include any language calling specifically for any security technology use mandates. So new mandates can't be slipped into the final version of the HIPAA modification proposal, she says.
McAndrew says federal regulators in various agencies are continuing to consider the security questions to be addressed in future rules for the EHR incentive program.
Meanwhile, Tony Trenkle, director of the Centers for Medicare & Medicaid's Office of E-Health Standards and Services, stresses the need for healthcare organizations to conduct risk assessments, as now required both under the original HIPAA security rule and the new EHR incentive "meaningful use" rule. "Conducting or reviewing a security risk assessment is a meaningful use core objective, he notes. And a risk assessment could point to the need for encryption to address specific risks.
When it comes to security requirements, federal regulators don't want to be "so prescriptive as to eliminate advances in technology or to point to only a single firm's technology," says Dan Rode, vice president of policy and government relations at the American Health Information Management Association.
Plus, encryption raises some sticky issues, he notes. For example, if a doctor provides a patient with an encrypted copy of records, does he have to explain how to decrypt the information? "If everyone used the same type of patient portal, it might make it easier," Rode says.
Kate Borten, president of The Marblehead Group, says it's reasonable for federal regulators to at least mandate using encryption on portable devices and for data traversing the Internet "because of the heightened risk."
So what do you think? We'd like to hear from you.