HIPAA Experts: Mandatory Encryption Overdue

Dom Nicastro, June 11, 2010

HIPAA compliance experts call the recommendation to mandate encryption on exchanges of electronic protected health information (ePHI) "overdue," "inevitable," and a necessary step toward ensuring a successful transition to electronic health records (EHR).

A privacy/security workgroup for the Office of the National Coordinator for Health Information Technology (ONC) reported last month that encryption should be mandatory for one-on-one exchanges between providers regarding treatments.

The workgroup of the monthly HIT Policy Committee in its May 19 meeting suggested that those exchanges should include:

  • Encryption (no ability for facilitator to access content)
    • Encryption ideally should be required when potential for transmitted data to be exposed (mandate through meaningful use/certification criteria or HIPAA Security Rule modification)
  • Limits on identifiable (or potentially identifiable) information in the message
  • Identification and authentication

"I'd say it's long overdue," says Kate Borten, CISSP, CISM, president of The Marblehead Group. "Recall that the proposed security rule in 1998--that's 12 years ago--required that PHI be encrypted over the Internet. While there may have been a legitimate argument then that solutions weren't readily available and cost effective, there are solutions today."

John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA Security Rule, says the recommendation was inevitable.

"It is merely recognition of what has become an industry best practice," Parmigiani says.

Encryption is not mandatory.

It is "addressable" under the HIPAA Security Rule. And the Department of Health and Human Services' interim final rule on breach notification creates a "safe harbor" for unsecured protected health information (PHI) that is encrypted by certain standards; in other words, covered entities and business associates (BAs) do not need to notify individuals on breaches involving such encrypted PHI.

If the workgroup's recommendation comes to fruition, it would "uncomplicate the situation that many healthcare organizations have been confronted with when trying to decide on encryption," Parmigiani says.

Back when the security rule was proposed in 1998, then finalized in 2003, encryption technology was immature, Parmigiani says.

Now, however, there have been "inroads in the understanding of encryption," he says, and widespread use of software and hardware encryption.

"Therefore, I believe that the formal recommendation is both timely and an essential component of successful HIT and is critical to the attainment of consumer confidence in a fully robust EHR and smoothly functioning HIE environment," Parmigiani says.

The privacy/security workgroup provides input to the Health IT Committee as it sets the ground rules for the criteria of "meaningful use" of EHRs.

CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) December 30 released two anxiously-awaited regulations providing both the definition of "meaningful use" for EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians. 

Currently, the ONC interim final rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology," requires that EHR systems be capable of encryption.

Final rules on the ONC interim final rule and CMS proposed rules are expected this spring. However, the interim final rule is in effect.

Dom Nicastro Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
Facebook icon
LinkedIn icon
Twitter icon