Encryption: A De Facto Requirement?

No one will say it.

Why won’t the regulators just say it?

Some of you have your ePHI in the cloud. Some of you work for health care systems that do not let you save your ePHI locally, but take ownership of all ePHI on a central server. Hopefully, those cloud vendors and the centralized information service departments are protecting ePHI with strong technical safeguards. (Check to make sure.) But for the rest of you with an EHR, consider this:

The HIPAA Security Rule makes encryption an addressable specification. Addressable does not mean optional, as I have mentioned before, however, it does not mean “required” either. It means you need to assess and determine whether the specification is a “reasonable and appropriate” safeguard and either implement or document why it would not be reasonable and appropriate, and then put an equivalent alternative measure in place if reasonable and appropriate. Huh?

Clearly, you are mandated to have strong technical safeguards like encryption.  Instead of the regulators doing this little dance, shouldn't they just say required?

Likewise, the just-published final Meaningful Use Stage 2 requirements call for the eligible professional to “conduct or review a security risk analysis in accordance with the requirements under (HIPAA) 45 CFR 164.308(a)(1), [which includes] addressing the encryption/security of data stored in a Certified EHR… and implement security updates as necessary and correct identified security deficiencies as part of the EP's risk management process.”  

Translation: Do the HIPAA security risk analysis. If you think it is not reasonable to encrypt your data-at-rest, then implement other equivalent safeguards. Document your whole thought process and rationale. It might be easier just to encrypt.

And the not-yet-final-but-still-enforceable HITECH  Interim Final Rule regarding Breach Notification tells us that encryption to a certain government-blessed standard will take the provider out from under all the breach notification requirements, which includes sparing the provider the need to alarm its patients and splash its worst PR nightmare all over the media. But, of course, no one says it is required.

I do not pretend to have technical expertise, so I do not recommend particular encryption products. However, I do read the regulatory guidance that refers to National Institute of Standards and Technology (NIST) Publication 800-111 regarding data at rest. I also heard the Director of the OCR say at the National HIPAA Summit that the vast majority of breaches come from loss or theft of electronics. To keep your practice off the DHHS Wall of Shame, and protect both the reputation of your practice and the data of your patients, it seems worth the investment.  

It’s All About Access

So with all the talk about the OCR HIPAA Audit program, and the initial findings that have been reported, we are brought right back to basics. Among other things, the KPMG auditors are looking at the privacy practices we were putting into place back nearly 10 years ago. And the OCR has recently issued a memo on patients' right of access to their protected health information (PHI), encouraging patients to actively participate in their own medical care. Patient rights are supreme.

Even so, one area of repeated deficiency found by the auditors relates to an absence of policies and procedures around patient access to their PHI. Does that surprise you? Or perhaps it resonates with you?

Practices generally are required to allow patients to see or receive a copy of their PHI within a designated period of time. Under HIPAA, the deadline is 30 days, unless an extension of time is requested. State laws will vary. In Maine, patients whose specially-protected category of Mental Health information is impacted by the Maine Rights of Recipients of Mental Health Services (“Rights Rules”), may review their information with supervision within 3 business days. Likewise, a Meaningful Use Core Measure also requires proof that more than 50 percent of all patients who request an electronic copy of their PHI are provided it within 3 business days.

Under the HITECH Interim Final Rule, covered entities, such as medical and other clinical practices, that maintain PHI electronically, are required to provide patients with their record in electronic format, or transmit the data to a designated entity or individual at the patient’s request. These few words in the HITECH Act creates a sizable change for the operations of a practice or health care organization, especially where the entity is in a hybrid state, meaning that the PHI is kept in paper, electronic and/or other formats. Do you provide the electronic record on a flash drive, on a CD? Are you able to transmit the electronic record securely?

Note that HITECH only allows for the labor costs associated with providing electronic PHI electronically, while state law tends to cover the costs associated with paper copying fees. 

Does your practice have a patient access policy and process that is being followed for PHI in varying formats? How are requests by personal representatives handled? When was the last time this area of your organization was monitored for compliance? Are you aware of the high enforcement penalties associated with lack of compliance?

In light of the OCR’s emphasis on HIPAA patient rights, the new audit programs under HITECH, and now under the recently announced CMS Meaningful Use Attestation Audits, being sure that you have a practice in place, including a process for denial of access if necessary (for example, if there is a risk of harm by providing access to the record) has never been more necessary. Be sure to record your efforts, as well as all requests and responses, to prove your actions and good faith. And know that you are doing the right thing for the patients, for your practice's reputation, and for your bottom line.