Touchstone Compliance

Cracking the Code of HHS Guidelines for Encryption of PHI

To encrypt or not to encrypt, that is the question.

Or to put it another way: To convert readable data into gibberish that must be decoded to become readable again — or not to convert readable data into gibberish that must be decoded to become readable again, that is the question.

The Health Insurance Portability and Accountability Act (HIPAA) says, “A covered entity must implement a mechanism to encrypt and decrypt electronic protected health information.” That sounds a lot like the government’s way of saying, “End of discussion.”

But actually it’s not that clear cut. HIPAA goes on to state, “a covered entity must implement an addressable implementation specification (encryption, for instance) if it is reasonable and appropriate to do so.”

It’s your call, but . . .

Let’s say you decide, for some reason, that encryption isn’t “reasonable and appropriate” for your practice. The government will allow you to take that tack on one condition: Your decision to not encrypt must be documented in writing. And that documentation, according to HIPAA, “should include the factors considered as well as the results of the risk assessment on which the decision was based.”

In other words, the law doesn’t say encryption is something you absolutely, positively must do. But if you don’t, you’d better be able to demonstrate, in writing, why you’ve made that choice. And here’s something else to consider: In the event of an audit, would the Office of Civil Rights (OCR) be likely to agree with your reasoning? (Knowing what I know, it would be a tough sell. Trust me.)

The government’s case for encryption of PHI

Commenting on a case involving a hospice being fined $50,000 by OCR for a stolen unencrypted laptop that contained just 441 patient records, Leon Rodriguez, the OCR Director at the time, said, “This action sends a strong message to the health care industry that regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Data encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

Encrypt — and earn a free pass from HHS

In addition to the fact that encryption helps keep your patients’ information safe if a device with PHI is lost or stolen, it can also go a long way towards protecting your reputation and saving you and your staff a ton of extra work. Why? Because if you’ve taken the step of encrypting your computer, laptop, tablet, thumb drive, or smartphone, and if that encrypted device is lost or stolen, the law says you don’t have to report the loss to HHS.  Nor do you have to notify your patients about it. Some have called this aspect of the law a “get out of jail free card.” And if you needed more proof that encrypting patient data is something you definitely should do, there you have it.

How does someone who’s not an IT person handle encryption?

The world of encryption has a language of its own — algorithms, ciphertext, keys — public and private, tangible and intangible.  To many healthcare providers, encryption-speak sounds like another kind of gibberish that needs to be decoded.

If the language of encryption is foreign to you, then this area of HIPAA compliance would probably be best handled by calling on technical experts to install and set up your practice’s encryption programs. If you’d like, I’d be happy to put you in touch with a reputable vendor or contractor from the network of experts we here at Touchstone Compliance have come to trust. Give me a call at 760.576.4772.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.