No one will say it.
Why won’t the regulators just say it?
Some of you have your ePHI in the cloud. Some of you work for health care systems that do not let you save your ePHI locally, but take ownership of all ePHI on a central server. Hopefully, those cloud vendors and the centralized information service departments are protecting ePHI with strong technical safeguards. (Check to make sure.) But for the rest of you with an EHR, consider this:
The HIPAA Security Rule makes encryption an addressable specification. Addressable does not mean optional, as I have mentioned before, however, it does not mean “required” either. It means you need to assess and determine whether the specification is a “reasonable and appropriate” safeguard and either implement or document why it would not be reasonable and appropriate, and then put an equivalent alternative measure in place if reasonable and appropriate. Huh?
Clearly, you are mandated to have strong technical safeguards like encryption. Instead of the regulators doing this little dance, shouldn't they just say required?
Likewise, the just-published final Meaningful Use Stage 2 requirements call for the eligible professional to “conduct or review a security risk analysis in accordance with the requirements under (HIPAA) 45 CFR 164.308(a)(1), [which includes] addressing the encryption/security of data stored in a Certified EHR… and implement security updates as necessary and correct identified security deficiencies as part of the EP's risk management process.”
Translation: Do the HIPAA security risk analysis. If you think it is not reasonable to encrypt your data-at-rest, then implement other equivalent safeguards. Document your whole thought process and rationale. It might be easier just to encrypt.
And the not-yet-final-but-still-enforceable HITECH Interim Final Rule regarding Breach Notification tells us that encryption to a certain government-blessed standard will take the provider out from under all the breach notification requirements, which includes sparing the provider the need to alarm its patients and splash its worst PR nightmare all over the media. But, of course, no one says it is required.
I do not pretend to have technical expertise, so I do not recommend particular encryption products. However, I do read the regulatory guidance that refers to National Institute of Standards and Technology (NIST) Publication 800-111 regarding data at rest. I also heard the Director of the OCR say at the National HIPAA Summit that the vast majority of breaches come from loss or theft of electronics. To keep your practice off the DHHS Wall of Shame, and protect both the reputation of your practice and the data of your patients, it seems worth the investment.
No comments:
Post a Comment