HIPAA Blog

[ Wednesday, November 25, 2009 ]

 

Encryption: More sage advice from Dom Nicastro. Then again, what would you expect, given who he's taking advice from?

Actually, early on in the life of the HIPAA Security Rule, many IT guru types jumped onto the encryption bandwagon with both feet, saying things like "encryption is industry standard and failure to encrypt is per se an unreasonable violation of the Security Rule," or "sending email over the internet in clear text (i.e., unencrypted) is a violation of the Security Rule." Well, the Security Rule has always listed encryption as an adoptable standard, not a required one; that means any covered entity must review its operations, practices, capabilities and finances and determine whether it should encrypt, but that it may reasonably determine that encryption is not necessary for structural, organizational, operational, or financial reasons. I have consistently advised people that you have to take an honest look, but if you determine that encryption isn't necessary, you don't have to do it.

That reasoning holds true today: you are still Security Rule compliant if you've made this determination. HOWEVER, under the new Data Breach Rules, your obligations upon a data breach are dramatically higher if you do not encrypt. Encryption, done properly, will be a "get out of jail free" card in you have a data breach.

I'd call that a game changer.

So, am I guilty of changing my opinions? To quote the only thing Keynes said that was right: "When the facts change, I change my mind. What do you do sir?"

Jeff [12:35 PM]

Comments:
I agree. It is a game changer. And much has changed since the original HIPAA Security rule was put in place. The Internet has become a more malcious place. More data is being stored electronically. Even laptops and tablets have come down in price to the point where people question why even buy a desktop. Everyone has a smartphone capable of storing rich content.

So although your position may have been acceptable times have changed. And it's time the healthcare industry start securing protected health information (PHI) using encryption. It's easier and less expensive than ever before.

Sincerely,
Alex Zaltsman
www.experiordata.com
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template