HIPAA: Do You Need Proof of Encryption?

Privacy, security, and breach notification rules of HIPAA Title II (the core concerns for IT compliance) don’t state explicitly that you need to retain proof of any efforts you make to encrypt devices. However, Mike Chapple, PhD, Notre Dame’s senior director of IT service delivery, recommends you keep all records.

Encryption A Major Concern

The issue of device data encryption took centerstage in 2014 when the HHS’s Office for Civil Rights issued penalties of almost $2 million against two healthcare firms after they reported the theft of unencrypted laptops:

  • Concentra Health Services, owned by Humana, agreed to a settlement of $1.7 million for failing to meet industry-standard security expectations, resulting in a breach of protected health information when an unencrypted laptop was stolen from one of its clinics, the Springfield Missouri Physical Therapy Center; and
  • Arkansas’s QCA Health Plan settled for $250,000 when a laptop was stolen that contained PHI – although a relatively small amount, that of 148 patients.

Amazingly, according to a Verizon report on IT intrusions, 46% of compromises involved stolen or lost equipment that is not encrypted. Healthcare is particularly at risk and should immediately take action, said Verizon, as when establishing a HIPAA-compliant cloud presence.

“Covered entities and business associates must understand that mobile device data security is their obligation,” explained  http://www.fiercehealthit.com/story/ocr-levies-2-million-hipaa-fines-stolen-laptops/2014-04-23 OCR privacy deputy director Susan McAndrew. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

Proof Of Encryption

It makes sense to assume that encryption alone isn’t enough. Confusion over whether proof is necessary and exactly what proof would entail was the subject of a user question asked http://searchsecurity.techtarget.com/answer/Do-HIPAA-encryption-requirements-include-PHI-devices of Notre Dame IT director Mike Chapple, PhD.

Dr. Chapple advised, the HIPAA Omnibus rule (the law’s most recent modification) did not specify that encryption proof was necessary. Nonetheless, it’s still a wise idea to encrypt all mobile device data– including laptops – and to keep documentation of that encryption easily accessible. It’s just smart, since it will immediately let the federal government know that you are serious about security.

“Encrypting devices that contain PHI provides a way to neatly sidestep HIPAA’s breach notification requirements if the device is lost or stolen,” said Chapple. “Quite simply, the loss of a device containing properly encrypted data does not constitute a breach.”

Do you really want to keep proof when a guideline doesn’t save you have to? Well, we probably all know by now that cover your assets (CYA) is probably one of the most important legal concepts you can know, both for battling lawsuits and stating your case to investigators. The best way to go about encryption is via a centralized solution, said Chapple. A healthcare-exclusive cloud platform could serve as that enveloping system.

Turnkey HIPAA Compliance

Do you want to explore cloud services that have the encryption you need to maintain data compliance? Then partner with ClearDATA. Our turnkey, truly HIPAA-compliant infrastructure is built to meet the ongoing needs needs of today’s – and tomorrow’s – healthcare industry.

Thank you for subscribing!