Computers in Medicine Online

Computers in Medicine (sm) - Online Newsletter is a quarterly online newsletter on computer applications for the medical profession (Published on the Web since 1996)

3rd Quarter '2010 Edition

___________________________________________________

7/7/2010

HIPAA HITECH - the Focus on Encryption

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by the U.S. Congress in 1996, and has become an integral part in the day-to-day operations of all healthcare-related businesses and organizations within the United States. Title I of HIPAA basically regulates the availability and breadth of health plans and insurance policies. Title II of HIPAA defines healthcare-related offenses as well as the civil and criminal penalties for them. Title II also introduced programs to handle fraud and abuse within healthcare. Title II included the following sets of rules:

Privacy Rule - (took effect in April of 2003)

Transactions and Code Sets Rule - (took effect in October of 2004)

Security Rule - (took effect in April of 2003 with a compliance date of April 21 2006 for small plans and April 21 2005 for all others)

Unique Identifiers Rule - National Provider Identifier (NPI ) required for small plans on May 23 2008 and May 23 2007 for all others)

Enforcement Rule - (took effect in March of 2006)

Details of HIPAA and these rules are available here.

The importance of encryption under HIPAA HITECH:

The American Recovery and Reinvest Act (ARRA) of 2009 included what is known as the Health Information Technology for Economic and Clinical Health Act, otherwise known as simply the HITECH Act. The HITECH Act basically addresses privacy and security concerns related to electronic healthcare information. It included financial incentives for the adoption of EMR systems and penalties for non-adoption. It also extended the HIPAA Privacy and Security Rules to include business associates of covered entities, and included newly updated civil and criminal penalties, along with new breach notification requirements. These enhancements to the Privacy and Security Rules makes encryption a key component of HIPAA compliance, which is the focus of this article.

Understanding the new regulations concerning Protected Health Information (PHI) is crucial in uncovering how significant encryption is in regards to HIPAA/HITECH compliance. According to the U.S. Dept. of Health and Human Services (HHS), PHI is classified as follows:

Unsecure PHI - this is any PHI that is simply not encrypted or destroyed.

Secure PHI - this is basically all encrypted PHI.

Note that by the definition of Unsecure PHI, any PHI that is not encrypted is considered unsecure. This means that it doesn't matter how many locks or biometric devices you have on your filing cabinet containing your non-encrypted PHI, it is considered to be unsecure. Once again, the only secure PHI is encrypted PHI.

The penalties that have been established under the HITECH Act's breach notification requirements are financially significant. The penalties now in place can be as high as $50,000 (for violations of willful neglect that the organization did not correct) for each violation, not to exceed $1,500,000 per calendar year. Under the HITECH Act, all HIPAA covered entities are required to send notification letters if there has been a breach of unsecured PHI.

According to the HHS, the use of encryption can grant safe harbor in the event of a breach. This is because encrypted PHI is "Secure PHI", and not "Unsecure PHI" (a true breach can only occur if it involves Unsecure PHI. The encryption method to be used must be approved by the National Institute of Standards and Technology (NIST).

Encrypted data is looked at in 2 ways:

Data in Motion

Date at Rest

For Data in Motion, a valid encryption process must comply with Federal Information Processing Standards (FIPS) 140-2. This is fairly easy to accomplish since there are many vendors that offer FIPS 140-2 validated products.

For Data at Rest, NIST specifies the use of FIPS-approved algorithms contained in validated cryptographic modules, and recommend the use of Advanced Encryption Standard (AES) for the encryption algorithm due to its speed and strength. The use of self-encrypted hard drives that are FIPS 140-2 certified are ideal here. There are few of these hard drives currently on the market, but they are expected to become widely available soon.

Safe harbor can only be achieved as long as these strict standards and guidelines are adhered to. The use of proper encryption technologies permit doctor's offices, companies, and organizations to secure their sensitive PHI data, thus avoiding breach notifications and the hefty financial penalties that accompany them!

___________________________________________________

There was an overwhelming interest in the issue regarding Practice Management Systems and Electronic Medical Records. Click here to read it.

___________________________________________________

If you have any questions or comments regarding this issue, use our feedback form.

___________________________________________________

Last Update: 7/7/2010