A mandate requiring encryption of PHI will not be included in the next update to HIPAA regulations, according to an interview conducted by Health Data Management with Susan McAndrew, deputy director for health information privacy in the Department of Health and Human Services’ Office for Civil Rights.
This is just a bit misleading.
Encryption right now is an addressable item, not a required item.
As a refresher:
- Required = must comply with this rule.
- Addressable = if you do not comply with this rule, you better have a very good reason why AND have a complete paper trail explaining why you do not feel your office needs to comply with this rule.
The reason for making some rules Addressable is because some rule may be to expensive/taxing to implement.
So when does it make sense for an office to NOT follow this rule?
Let’s take a look at the rule first, which is 45CFR164.312(a)(iv):
“A covered entity must implement a mechanism to encrypt and decrypt electronic protected health information.”
That is pretty broad, and even though the rule says “must implement“, the fact that this rule is addressable makes this where you do not have to follow this rule, but again you must have a very good reason that is well documented.
In a perfect world an office will have all electronic data, specifically PHI, encrypted.
In reality this does not always make sense.
An example of when encrypting hard drives may be too “expensive” for a small practice to implement might be:
Practice Y has a server on which all PHI is stored. This server is in a locked computer room and only a few people have access to it.
When is there ZERO excuse?
If your practice ever…EVER stores PHI on a portable device you BETTER be encrypting that device.
Examples of portable devices include:
- Thumb drives
- External hard drives
I read articles daily about stolen laptops and lost thumb drives that have PHI on them.
The reason these are news is because they were NOT encrypted and were a security breach.
Just imagine this:
You choose to not follow this encryption rule.
Next, a laptop that belongs to your office is stolen from an employee car (this happens every day).
You are pretty sure there was no PHI on it, but not really sure as this employee tends to take work home.
The local newspaper shows up and asks, “Why did you not follow the HIPAA regulations and encrypt this laptop?”
With a bead of sweat sliding down your forehead you respond, “that is an addressable item.”
Not the way you want your day to go I’m sure.
Also, to be very clear: password protecting a spreadsheet or computer is not at all similar to encryption.
The point here is be very cautious when somebody says that a HIPAA regulation is not required, because really…they all are.