PHI Safeguard Compliance Requirements for HIPAA/HITECH and MU – Part 1

Ed_JonesPHI Compliance Requirements Webinar Questions/Answers – Part 1

On July 30, 2014 we hosted a webinar event with national HIPAA expert, Edward Jones. The event attracted almost 800 registrants so naturally there were a ton of questions. We decided to share the Q&A with our entire audience in a four-part series. You can follow Ed on Twitter @HIPAAsafeguards.

1.  Encryption is an addressable standard.  If you do not encrypt ePHI, what is an acceptable alternative?

Answer:  Addressable for encryption for data at rest and for data in motion dates from early 2000s when the HIPAA Security Rule was originally composed.  If the HIPAA Security Rule were written today, I believe encryption for each would be required, especially with proliferation of mobile and portable devices and large number of breaches of such equipment.  The Guidance is really a surrogate for the “requirement,” giving the holder or transmitter of ePHI the option of “securing” the data through appropriate encryption or risking breach notification and resultant costs if a device with “unsecured” ePHI were lost or stolen.  Under current regulations, there is no alternative to “securing” the data through encryption if you want a safe harbor from breach notification.  Please consult Data Motion, sponsor of the Webinar, for additional information on encryption.

2.  What are the specific differences between the MU1 and MU2 PHI security requirements?

Answer:  Most of the changes are language changes and rearranging of HIPAA implementation specifications into several new categories.  The biggest change is related to adding a clause related to encryption in the measure, mandating “including addressing encryption/security of data stored in Certified EHR Technology in accordance with the addressable provision and the HIPAA data at rest implementation specification.”  See 45 CFR 164.312(a)(2)(iv) for the HIPAA data at rest implementation specification. While the specific criterion for data in motion has been removed, it still is required as part of the risk analysis and for the HIPAA technical implementation specification at 45 CFR 164.312(e)(2)(ii)

3.  What are the key security issues with PHI in Patient Portals?

Answer:  A patient portal is a secure online website that gives patients convenient 24-hour access to personal health information from anywhere with an Internet connection. Using a secure username and password, patients can view their health information, schedule appointments, request Rx refills, exchange email, etc.  This is a direct Data Entry (DDE) function.  The healthcare provider or health plan is required to ensure that the patient’s ePHI in its care (“designated record set”) is secure, while the patient does not have the same liability.  We recommend that physicians and health plans encrypt the data at rest, and that any communication from the covered entity requires that the patient log on to the secure portal to access documentation in the provider’s care.

Ed Jones is an author, and owner and CEO of Cornichon Healthcare Select, LLC, which provides consulting services pertaining to HIPAA/HITECH Act privacy and security compliance, and design of mobile strategies for healthcare transactions.  At Cornichon’s Website, at, Ed offers online privacy and security safeguard guidance and reference tools and policies and procedures for achieving compliance with HIPAA Privacy, Security, and Breach Notification Final Rule and Stage 1 and 2 Meaningful Use Security Measure compliance.