[ Wednesday, November 25, 2009 ]
More sage advice from Dom Nicastro
. Then again, what would you expect, given who he's taking advice from?
Actually, early on in the life of the HIPAA Security Rule, many IT guru types jumped onto the encryption bandwagon with both feet, saying things like "encryption is industry standard and failure to encrypt is per se an unreasonable violation of the Security Rule," or "sending email over the internet in clear text (i.e., unencrypted) is a violation of the Security Rule." Well, the Security Rule has always listed encryption as an adoptable
standard, not a required
one; that means any covered entity must review its operations, practices, capabilities and finances and determine whether it should encrypt, but that it may reasonably determine that encryption is not necessary for structural, organizational, operational, or financial reasons. I have consistently advised people that you have to take an honest look, but if you determine that encryption isn't necessary, you don't have to do it.
That reasoning holds true today: you are still Security Rule compliant if you've made this determination. HOWEVER
, under the new Data Breach Rules, your obligations upon a data breach are dramatically higher
if you do not encrypt. Encryption, done properly, will be a "get out of jail free" card in you have a data breach.
I'd call that a game changer.
So, am I guilty of changing my opinions? To quote the only thing Keynes said that was right: "When the facts change, I change my mind. What do you do sir?"
Jeff [12:35 PM]
Blogger: HIPAA Blog - Edit your Template