To Encrypt or Not To Encrypt

Tuesday, April 22nd , the government announced two significant HIPAA Settlement and Resolution Agreements related to breaches of unsecured patient information caused by stolen laptops. One settlement agreement addressed a healthcare provider that stored patient information on a laptop that was stolen from the facility. The laptop contained patient information that was not encrypted. Because the government believed the lack of encryption caused a critical risk, the penalty was $1,725,220. The second case involved 148 unsecured patient records located on a stolen laptop that was self-reported to the government. The government then investigated and found that the entity failed to adequately implement HIPAA Security safeguards until after the breach. In this case, the entity was fined $250,000. In both cases, the healthcare providers were required to enter into a corrective action plan in addition to the fines and penalties.

One key element of the corrective action plan was for the healthcare provider to perform an information risk assessment. Information risk assessments should enable a healthcare provider to fully evaluate its information technology system and identify any risks and vulnerabilities within the system. One safeguard that must be addressed in an information risk assessment is whether the data should be encrypted at rest and in transmission. HIPAA does not expressly require encryption. However, if a provider does not encrypt the data when it is at rest or in transmission and there is a breach of more than 500 records, the provider must notify the government and the media of the breach of unsecured information. The government will then investigate and institute the applicable fine or penalty.

Based upon the significant fines that were imposed on Tuesday, the government has raised the importance of using encryption to protect the security of protected health information. Use of encryption is especially important when using mobile devices. In fact, the government representative that commented on the cases in the Department of Health and Human Resources press release stated, “Our message to these organizations is simple: encryption is your best defense against these incidents.”

On the other hand, many providers claim that encryption slows down access and transmission of information and may not be necessary if the data is stored in secure facilities. If a provider elects not to implement encryption, it is imperative that the provider perform an information risk assessment and document the reasoning for the absence of encryption. The provider should also detail the other safeguards that are utilized to proactively prevent improper access, use or disclosure of protected health information. Likewise, the provider should ensure that protected health information is not transmitted to or from or stored on mobile devices. Otherwise, healthcare providers should renew their focus upon encryption and whether it is the appropriate level of security for its patient protected health information.

In addition, providers should not lose sight of the HIPAA Security Rule requirement to perform an information risk assessment. Conducting an information risk assessment is a foundational component of HIPAA Security Rule compliance. Performing an information risk assessment is also required for a healthcare provider to obtain meaningful use financial incentives. If a provider acts in reckless disregard of the HIPAA requirements, the fines and penalties may increase. In fact, over the last year, many of the HIPAA enforcement actions and related penalties have focused upon the providers’ lack of an information risk assessment and inadequate policies and procedures. In Tuesday’s case where 148 patient records were breached, the government found that the provider failed to adequately assess and implement the required HIPAA security safeguards from 2005 to 2012. Therefore, even though the provider self-reported the breach, the provider was still subject to a significant fine.

As recently as March 28, 2014, the government provided a security risk assessment tool for providers to utilize. Each provider should use the tool to answer the questions, identify vulnerabilities and develop an action plan to address any potential risks. Because a security risk assessment tool has been provided and the requirement to perform such an assessment has been in effect since 2005, it is critical for healthcare providers to use the tool and implement the appropriate safeguards to avoid potential fines and penalties. If a provider is not in compliance with the HIPAA requirements, including maintaining adequate policies and procedures for privacy and security, the government may fine and penalize the healthcare provider up to $1.5Million per violation. The two cases this week are prime examples of the types of fines that may be assessed if a provider fails to utilize the information risk assessment to identify vulnerabilities and implement adequate policies and procedures to protect patient protected health information. Therefore, at a minimum, healthcare providers should complete the security risk assessment tool and assess whether encryption should be a mitigating safeguard incorporated into the providers’ information technology compliance program.

Comments are closed.