HIPAA Blog

[ Monday, April 12, 2010 ]

The AMA jumps on the encryption bandwagon: When the Security Rule initially came out in the spring of 2003 (and became effective April 2005), the question of encryption was an "addressable" one -- in other words, encryption was not required. Covered entities had to consider whether it was necessary, but if the entity determined it was not, the entity did not have to adopt encryption technologies. I occasionally advised clients that they did not have to adopt encryption technology, even though some in the industry said it had become "industry standard" and therefore was really necessary. I disagreed; depending on the context, safe data transfer practices would be sufficient.

HITECH changed that (actually, the regulations defining "secured" data under HITECH). The new data breach rules give you a "get out of jail free" card, and that card is encryption: that's because, if you encrypt, you can avoid the data breach disclosure problem. Data breaches must be disclosed to the individual and HHS, but only if the data is unsecure; and HHS defines "secure" to mean encrypted. In fact, encryption is really the only way to secure PHI.

The AMA has now taken a similar stance. As you can see from this, physicians and physician practices should look again at encryption technology and adopt it if possible. You should consider it for data in transit or at rest. It's not free, but it may save you a ton of money and embarrasment in the long run if your data breaches are not reportable.

Jeff [11:19 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template