HIPAA Encryption requirements? Not really! To be sure, encryption may not always be directly required, but it is often best practices.
When it comes to HIPAA compliance, the way you store sensitive data is just as important as where. Meeting HIPAA requirements with electronic data encryption is a good place to start, but we also recommend a few additional measures beyond simple encryption to help prevent costly data breaches.
We recommend to use encryption as a method to secure data and devices!
In 2018, HIPAA penalties hit an all-time high. Even though several settlements were reached, many entities paid substantial fines. Often, the health facilities or contractors were cited for lackluster encryption – paying fines even with no evidence of a data breach.
Last year, the Department of Health and Human Service’s (HSS) Office of Civil Rights (OCR) issued a $4.3 million fine to University of Texas MD Anderson Cancer Center, in part, for no encryption. Similarly, Fresenius Medical North America picked up a $3.5 million fine, and lack of encryption was one of several noted violations.
In 2017, Children’s Medical Center of Dallas was issued a fine for $3.2 million, in part, for failing to encrypt phone and laptop that were stolen, violating HIPAA requirements. The same year, CardioNet, a company that specializes in mobile electrocardiograms, accrued a $2.5-million fine. One serious violation included the theft of an unencrypted laptop, also in violation of HIPAA encryption requirements.
Encryption Requirements: The Case of University of Texas MD Anderson Cancer Center
What happened with the University of Texas MD Anderson Cancer Center reads like a cautionary tale of not following HIPAA encryption requirements. Despite no evidence of a breach, the cancer center, by not encrypting data, was ordered to pay. In this case, the center chose to fight the OCR ruling in court but was unable to disprove the OCR’s findings.
An HSS Administrative Law Judge held up the fines and ruled in favor of the OCR. The unfortunate part of the whole ordeal rests in the findings by the OCR, which uncovered written encryption policies but little or no implementation for years, leaving electronic patient health information (ePHI) vulnerable.
According to an HHS press release from June of last year, “OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013.” (MD Anderson is appealing the HIPAA fine).
It is easy to accrue a fine for HIPAA encryption requirements noncompliance. How many hospitals or clinics likely have an old computer with sensitive information stored in a closet or a backroom? A computer with dated encryption that can easily be breached with today’s technology, or a device in a drawer with no encryption at all. Maybe an employee takes the computer or device home. Why not? It is not being used.
Rules and Regulations When it comes to Meeting HIPAA Requirements
Encryption, in relation to ePHI files, renders the text unreadable but decipherable through an encryption key. When devices are properly encrypted, even theft of a device renders the data useless to the thief. Had Texas University MD Anderson Cancer Center done this, HIPAA fines may not have reached into the millions.
HIPAA compliance policies on encryption requirements are deliberately vague so that they can be applied across multiple and diverse covered entities. The HIPAA encryption requirements rules, however, are hazy because when the security rule was adopted, it was understood that technological advances could deem encryption wording obsolete. In other words, HIPAA encryption requirements are hazy, but they are also organic and can be applied to current and future tech.
The wordage suggests that covered entities can choose appropriate solutions based on risk assessment and risk analysis. Not only do these solutions have to be written down, but they also have to be implemented across all devices, including cell phones. In fact, encryption must be apparent and can hold up across every IT process. This includes data in motion or data traveling from one device to the other.
In short, the requirements for meeting data encryption requirements mean encrypting every device that contains ePHI and documenting this all-inclusive encryption. How you choose to do this is up to you. However, are you qualified to cover every base and consider every possible scenario when it comes to encryption?
Technologies, including hacking tools, are always evolving. The encryption methods that are “foolproof” today, in other words, could be vulnerable to a breach tomorrow.
- What Encryption Safeguards Against. Encryption safeguards against data breaches by securing a patient’s most sensitive information. However, encryption also protects against:
- Email breaches – Part of end-to-end encryption;
- Device theft consequences – The device is stolen, but the data is unreadable;
- Ransomware – Backing up your system also helps protect you from the high cost of ransom;
- Spyware – Spying is moot when the data is unintelligible.
- What is Encryption Software? Encryption requirements are necessary across your systems and devices, but how do you encrypt?
- What is the best software or program to keep sensitive information safe? Encryption requirements are addressable;
- “PC Magazine” has released its 2019 list of the best encryption software. This list ranked AX Crypt Premium and Certain Safe Digital Safety Deposit Box as the top programs.
- Microsoft also offers HIPAA and HITRUST compliant software through Azure, a cloud-based platform. Cloud storage can also be encrypted.
We recommend leaving nothing to chance. Full disc encryption and end-to-end encryption will always be the best course. You also need intuitive encryption software to stay a step ahead of hacker technology and to shore up human errors.
For example, software that closes and secures open documents after a period of inactivity and a software model that is organic or upgradeable across operating systems.
The Fox Group’s Recommendations and Considerations
As a provider, you want to protect ePHI, not merely because of potential HIPAA fines but because you are entrusted – and trusted – with the most sensitive patient data and information.
- How does encryption work, what is required, what should be encrypted, who has access and make sure to document everything. For the most part, encryption relies on algorithms to secure data. These include:
- Asymmetric key algorithms that depend on different keys – one set to secure data and one set to unlock
- Symmetric key algorithms that rely on one combination of keys to encrypt and unlock
- End-to-End Encryption is also crucial. Make sure you are utilizing End-to-End encryption per HIPAA requirements. This means only you and the recipient can open and view the information. Further, if the means of transfer requires a liaison server to move or store, it cannot be used by covered entities. In other words, do not send sensitive information, such as PHI, through a non-encrypted transfer or method such as a personal email or messenger.
- Data at Rest is often overlooked. Data stored on a device that is no longer used is one definition of data at rest. Consider the devices that have been taken out of play – older cellphones, slow laptops and obsolete computers. Do they contain ePHI or other sensitive information? Are these devices stored on-site? Are they encrypted? Remember, hard drive disposal is part of the physical safeguards within the HIPAA security rule. Also, you will want to inventory all devices and document disposal.
- HHS recommends the following means of disposal:
- Burning, pulping or pulverizing physical paper records until they are unreadable;
- Relying on a qualified disposal vendor to destroy prescription bottles and labeled prescribed medical devices;
- For ePHI or other sensitive data, overwrite the files or destroy the media through melting or pulverizing
- HHS recommends the following means of disposal:
- Full Disc Encryption is a good way to help meet HIPAA compliance, but it is not a requirement. In this case, the entire computer is encrypted, even data at rest or data that will not be transferred. This includes email encryption. This also protects you against ransomware and other malicious invaders.
- Trained and Necessary Personnel only is mandated. Who has access to these devices, and do only the right people hold the encryption keys? You do not want a medical office, a billing department or a covered contractor allowing multiple people access to these encryption keys across devices. The potential for error or misuse – even accidentally – is enormous. Further, an untrained or noncompliant employee can open an encrypted document, leave his or her workstation, and forget to close and secure the information.
- Remember Your Paper Files to stay compliant. HIPAA compliance is not limited to electronic patient information. Keep your paper files locked and limit access to trained and necessary personnel only.
- Backup is another special consideration. In the event of a natural disaster, we recommend backing up data and storing it off-site. It is important to encrypt off-site, too!
And one more thing. Windows 7 End of Life requires special consideration. According to “Computer World Magazine,” approximately 184 million businesses, including healthcare entities, still use Windows 7. In January 2020, Microsoft will no longer support this operating system, which means no security updates. This can also mean automatic noncompliance or paid support. Do not wait until the last minute. Some older computers and devices may not accept the Windows 10 upgrade, or important software and virus protection – including encryption software – may not be compatible on a new operating system.
And document everything you do!