Encryption Critical in Healthcare

By John Wagley

01 July 2012

Print Issue: July 2012

ENCRYPTION TECHNOLOGY and solutions are becoming less expensive and easier to use and should increasingly be employed by healthcare organizations of all sizes, according to a top U.S. Department of Health and Human Services (HHS) healthcare privacy official.

Encryption protects proprietary information from hackers and protects organizations from heavy regulatory fines and other penalties in the event of a data breach, said David Holtzman, health information privacy specialist at HHS’s Office for Civil Rights (OCR).

OCR is responsible for enforcing security and privacy rules mandated by the Health Insurance Portability and Accountability Act (HIPAA). Holtzman made the remarks at the recent Global Privacy Summit in Washington, D.C., sponsored by the Independent Association of Privacy Professionals.

OCR data shows that the loss and theft of laptops and portable electronic devices is one of the most common ways that proprietary data ends up in the wrong hands. But if the data is encrypted, it’s unlikely that the data can be accessed; thus, security and privacy will not be compromised.

HIPAA does not require healthcare organizations to use encryption, but during a question and answer section of the presentation, Holtzman said that it’s becoming more important to use. “Maybe the needle is beginning to shift” toward having encryption become more of a necessity, he said, “because these technologies are becoming more accessible and more affordable.” He added, however, that he was voicing a personal opinion, not speaking in an official legal capacity for the OCR.

Healthcare organizations that fail to protect sensitive healthcare data can be subject to large fines and other penalties. In March, for example, OCR announced the first enforcement action resulting from a new breach self-report mandate required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HITECH, passed in 2009, was meant to supplement security and privacy provisions in the HIPAA. In the enforcement action, Blue Cross Blue Shield of Tennessee agreed to pay HHS $1 million to settle potential violations of HIPAA’s privacy and security rules after the company filed a report informing HHS that 57 unencrypted computer hard drives, containing sensitive health information on more than one million people, had been stolen.

Encryption is only part of the solution, of course. There should be a range of security protocols in place. And healthcare organizations should also ensure that proper safeguards are in place to protect any data that is held by third parties, Holtzman said. Even if data is lost by a third party, “covered entities” are still responsible for reporting data breaches, he said. Healthcare organizations should ensure that if a breach is caused by a business partner, a “process is in place” to communicate the violation to the covered entity.

Holtzman also described how HHS planned to launch an auditing pilot program this year in which it would visit and evaluate the security and privacy safeguards of approximately 115 healthcare organizations. A main goal of the initiative will be to examine as many different kinds of covered entities as possible. Although some healthcare organizations have expressed concerns that the audits would be punitive, Holtzman said the evaluations were intended to be more educational in nature.

Reports will not be made public. There’s going to be “no hidden agenda, no gotcha moments,” he said. “OCR will conduct audits to see what technical assistance we need to develop to help all companies generally.”

Holtzman discussed other tools that could help organizations comply with HIPAA’s security and privacy rules. One is provided by the National Institute of Standards and Technology, called the HIPAA Security Rule Toolkit, and it is available online. “It’s sort of like [the software program] TurboTax for [healthcare] security compliance,” he said.

Training employees, regularly inspecting existing policies and procedures, and instituting and preparing an “action plan” to respond to any security incidents were among the other compliance measures that Holtzman discussed.