09-18-13 | Blog Post
Before law school, Brian Balow studied journalism for five semesters of his undergraduate years, so using an adaptation of the reporting axiom ‘who, what, where, when, why and how’ was a logical way to break down the points in his recent ‘Tuesdays at 2’ webinar, Removing the ‘Cryptic’ from ‘Encryption’ – HIPAA and the Meaning of Secure PHI.
And because the former cum laude graduate of the University of Georgia School of Law is now a leading attorney concentrating his practice at Dickinson Wright PLLC in the areas of information technology – and a valued contributor to Online Tech’s series of educational webinars – his arbitrary arrangement of that axiom was deemed admissible by the court of public opinion.
Here is what you can expect to learn by viewing a replay of the 51-minute presentation about Protected Health Information (PHI) and data encryption as it relates to HIPAA and Meaningful Use compliance (available here):
That’s a lot of questions that need to be answered, something Balow noted when he was ‘doing a little historical digging’ into the legislative history and language around HIPAA in preparation for the webinar.
“It’s interesting and a little disappointing that when you look back even in 1996, there was a focus on the electronic exchange of health information. They knew this was the wave of the future even back then,” Balow said. “Fast forward to September of 2013 and we’re still talking about issues that pertain to electronic health records, and how they’re protected, and Meaningful Use to try to incentivize organizations and providers to adopt records. So we’re coming up on 20 years and we’re still working on this stuff.”
A summarized recap of the presentation follows. For complete details, view the recording and download slides for access to resource links.
What (requires protection)?
Protected Health Information (PHI) must be protected. Balow covered the long, legalese definition, but said it comes down to this: Any electronic health information that identifies an individual or can be used to identify an individual must be encrypted.
Balow notes that there is a lot of overlap between HIPAA, Meaningful Use and other personally identifiable information (PII)-centered laws such as state data breach notification laws, the PCI Data Security Standard, the Gramm-Leach-Bliley Act, etc. “The point being,” Balow said, “If it’s individually identifiable information in the healthcare industry, it’s likely PII in other industries, as well.”
Why (is protection important)?
Balow covered the HIPAA Enforcement Rule, Security Rule and Breach Notification Rule in depth. He notes the security rule “is the part of HIPAA that really has caused most of the noise over the last nine months since the final rule came out, because there was a host of business associates out there who suddenly were directly liable … who did not have the administrative, technical and/or physical safeguards in place that were required of them.”
Cited in the webinar is Office for Civil Rights statistics that show 9,411 investigations resolved in 2012, a number Balow says is an increase from zero not many years ago. He also covers HIPAA civil money penalties resulting from failure to encrypt.
Balow points out that one reason to encrypt data is because the Breach Notification Rule requires notification of a breach only after unsecured protected health information. Electronic PHI becomes secured through the adoption of encryption techniques approved by HIPAA regulations.
“Putting aside the potential civil money penalties – which are not insignificant – if you are dealing with unsecured PHI and have a breach, you have the added cost of hiring a lawyer or using internal resources to do an analysis and prepare the notices and figure out everyone you have to track down. Keep in mind you’ll probably have to do that with state data breach notification laws and potential federal trade commission issues related to your privacy policy. As well as the bad publicity that goes with it. If I encrypt, I need not worry about this.”
Balow also describes how the use of encryption to reach Meaningful Use, Stage 2 status is more focused on end-user device encryption, such as laptops, flash drives and mobile hardware.
How (should it be protected)?
For HIPAA compliance, encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and that process or key must be stored separate from the data. Any process must be judged to meet National Institute of Standards and Technology (NIST) standards.
Noting he’s an attorney and not a technology expert, Balow pointed to an Online Tech resource to help answer this question: /blog/encrypting-data-to-meet-hipaa-compliance
The Centers for Medicare & Medicaid Services, who deem Meaningful Use status, also emphasize the importance of organizations ‘including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.’
Translation, counselor?
“I think what they’re really saying is, if you are properly performing a HIPAA security risk analysis – which you are required to do if you are a covered entity or a business associate – then whatever conclusion you reach as it pertains to encryption under that regime should suffice under the meaningful use regime,” Balow said.
Balow also took a moment to suggest finding additional information on the U.S. Department of Health and Human Services and the Centers for Medicare and Medicaid Services websites.
“They’ve done a lot of work, gone through a lot of effort, to put resources and information on their websites to help people in the industry to understand and comply with what is now required under HIPAA and with respect to the Meaningful Use regulations,” Balow said.
Who (should encrypt)?
Balow said he has been guilty in the past of making broader statements in certain contexts as it relates to ‘who should encrypt?’ than really are appropriate. “It’s an easy conclusion to reach, why wouldn’t we encrypt?” Balow said. “But it is not necessarily a one size fits all. Context does matter.”
He notes encryption is one of many tools to protect data, and is not required in all environments. A ‘wild example:’ A doctor in the Upper Peninsula of Michigan who only takes cash and has all paper records doesn’t need to encrypt.
Beyond that, and some other less unusual examples, Balow said that if you are an Eligible Professional (EP), Eligible Hospital (EH) or Critical Access Hospital (CAH), the likelihood is that encryption makes sense to achieve Meaningful Use status.
“The way that I read the regulations is that if you want to meet Stage 2, you are going to encrypt,” Balow said. “It would probably be a rare case where you could get out of Stage 2.”
Even those organizations that don’t take Medicare and Medicaid – and therefore aren’t interested in Meaningful Use compliance – still need to make a serious risk assessment, he said. He noted the previously-mentioned Breach Notification Rule alone may be enough to drive a decision to encrypt.
“You are still subject to HIPAA as a covered entity or a business associate. You don’t care about Meaningful Use, but you still need to do that Security Rule risk assessment that will guide your decision on whether to encrypt,” he said. “Remembering it’s an addressable standard and you have to prove why you shouldn’t encrypt – why your technical safeguards, physical safeguards and administrative safeguards are sufficient so additional steps are not required.”