By defining breach to not include unauthorized disclosure of encrypted ePHI, the HHS provided a powerful opportunity for organizations to limit financial exposure to ePHI breaches – the potential financial impact from a breach of unencrypted ePHI can be huge. The civil monetary fines from the HHS can reach into the millions. A financial impact model recently released by an ANSI workgroup evaluated a hypothetical that resulted in a cost of over $25,000,000 for a major New York hospital from the loss of a magnetic tape containing 854,000 patient records.[iii] Clearly the model imagined a worst-case type of a scenario, but the costs from legal fees, training expenses, loss of reputation, and so on, can add up quickly.
Importance of Encryption
Moreover, the likelihood of your organization experiencing a breach is greatly reduced by the implementation of encryption. A recent study by the HHS found that almost forty percent of “large breaches” resulted from “lost or stolen devices.” If the ePHI on the devices had been encrypted, the data would have been secure and no breach would have occurred. The increasing prevalence of mobile devices will make this likelihood even higher. One organization learned the hard way that “mobile” is a relative term when a workstation became mobile after a thief smashed a window and ran off with over 4 million patient records.
Keep in mind that depending on the circumstances of the breach your organization may still have obligations under other federal or state laws (46 states currently have breach notification laws).
2. Stage 2 Meaningful Use Proposed Rule Indicates HHS’s Strong Stance on the Benefits of Encryption
HHS’s recently published proposed Stage 2 Meaningful Use requirements further indicates the continued push Washington has made towards advancing encryption and provides further reason for organizations to make efforts to understand the benefits of encrypting ePHI. The Stage 2 HIPAA risk analysis requirement distinguishes itself from Stage 1 by specifically calling out encryption. Proposed Stage 2 Meaningful Use requires organizations to attest to a risk analysis that considers whether encryption of “data at rest” and “data in motion” is reasonable and appropriate.
HHS’s oversight role for HIPAA compliance audits is a reason to take note of encryption’s mention. Although the law hasn’t changed, the focus indicates it’s wise to make sure you evaluate whether encryption is appropriate in all ePHI settings. Simply encrypting may provide more certainty than attempting to figure out what an “equivalent” measure is.
Conclusion
Washington’s next step may very well be to make encryption explicitly required for all covered entities. Nevertheless, it should already be required by management for implementation at nearly all healthcare organizations. The HHS’s focus and the magnitude with which financial risk can be reduced demand this approach. It’s for these reasons that your organization should make encryption a mandatory piece of its financial risk management program.
[i] NIST Special Publication 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
[ii] The Secretary requires encryption meet standards developed by NIST and FIPS.
[iii] ANSI, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security (2012).
Matt Wimberley is a consultant and blogger at Santa Rosa Consulting where this article post was first published. Santa Rosa Consulting is a national provider of management consulting and information technology services to the healthcare industry.