Should Encryption Be Mandated?

Advisers ponder requirement for one-to-one exchanges
Should Encryption Be Mandated?
A federal advisory group is fine-tuning a number of recommendations for improving the security of health information exchanges, including mandating encryption in certain cases.

The Privacy and Security Workgroup of the HIT Policy Committee is considering security protections for all forms of information exchange, ranging from local, regional or statewide Health Information Exchanges to one-on-one communications.

The panel is calling attention to the need to ensure that even when one doctor shares information with another over the Internet, adequate security precautions are taken.

The role of encryption
For example, in its draft recommendations, the workgroup advocates mandating encryption for "one-to-one exchange from one provider to another for treatment purposes," even if the exchange is direct and not through an HIE.

"The content should not be able to be accessed by an unauthorized party while in transit, nor should an entity facilitating the transport have access to that data," says Deven McGraw, who chairs the workgroup. The attorney is director of the health privacy project at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization.

The encryption mandate could be included in a modification to the HIPAA security rule or an addition to the meaningful use requirements or certification criteria for the federal electronic health record incentive payment program under the HITECH Act, according to the workgroup.

The HITECH Act's breach notification rule already includes a powerful encryption incentive. It features a safe harbor that exempts organizations from reporting breaches of information that's encrypted in a certain way.

What's next?
In the weeks ahead, the workgroup will "devote more intensive efforts to the policy and technology framework needed to govern health information exchange," McGraw says.

Ultimately, the HIT Policy Committee will make final recommendations to David Blumenthal, national coordinator for health information technology. That, in turn, could lead to new policies enacted by the Department of Health and Human Services.

"A comprehensive set of privacy and security protections that build on current critical to building the foundation of trust that will support and enable meaningful use by providers, hospitals, consumers and patients," according to a workgroup statement.

Setting limits
The workgroup also is considering recommending limits on identifiable information in messages transmitted in one-to-one exchanges. "If you protect the content of the message, but if the subject of the e-mail says 'lab results for Mrs. Jones,' you've exposed health information to potential inappropriate access, use and disclosure," McGraw says.

In addition, the workgroup has identified the need for user identification and authentication technologies to facilitate exchanges.

"In order for providers to securely exchange messages over the Internet, they need a digital identity that can be proven or authenticated so that the receiving provider knows that it came from Dr. Smith," McGraw says. "And, similarly, the sending provider needs to trust that she is sending the message to the right receiving provider."

The to-do list
It remains to be seen whether the workgroup will recommend that all its guidelines for one-to-one exchanges, along with other requirements, be applied to HIEs.

The issues the workgroup will address in the weeks ahead, according to McGraw, include:

  • Drilling down on all specific policies and technology requirements for all models of information exchange;
  • Reviewing issues involved in getting patient consent to share their information;
  • Providing "transparency" for patients about the use of their information.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.