Encrypt or un-encrypt, that is the question after the Health and Human Services (HHS) came out with their recent guidance on patient rights.
Last week the Office for Civil Rights (OCR) announced a significant provision in the new guidance dealing with the issue of encryption.
The guidance includes formalizing a requirement that both covered entities or business associates must provide individuals a copy of their Protected Health Information (PHI) by unencrypted email if the individual requests it to delivered to them through this method.
In addition, either the covered entity or the business associate must provide a brief warning to the individual that there is a level of risk by which sending unencrypted PHI could cause. Some unauthorized third party could read or accessed their PHI. The guidance further states that the covered entity or business associate must confirm or obtain an acknowledgement that the individual still wants to receive the requested PHI by unencrypted e-mail. If the individual states ‘yes’ the covered entity and business associate must comply.
Also discussed in this guidance was the handling of paper records. Should the covered entity maintain paper records, then covered entity is expected to scan the paper records into an electronic format to be emailed.
Jocelyn Samuels, Director of the Department of Health and Humans Services’ Office for Civil Rights, which enforces HIPAA, says the OCR issued this guidance because “unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles in accessing their health information, from entities which are required to comply with the HIPAA Privacy Rule. This must change.”
There is a history of encryption from both federal agencies: the OCR and the Federal Trade Commission (FTC). In their Resolution Agreements, the need of encryption for PHI is documented.
A Resolution Agreement in 2013 with Hospice of Northern Idaho, former OCR Director Leon Rodriguez emphasized that the action “sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ information.” Mr. Rodriguez also stressed the importance of encryption, calling it “an easy method for making lost information unusable, unreadable, and indecipherable.”
In a September 2015 Resolution Agreement, OCR Director Jocelyn Samuels stated “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information. Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”
Recently the FTC fined Dentrix G5 software, a health IT vendor $250,000, for deceptive claims. Dentrix stated that it utilized industry-standard encryption when it actually used a method inferior to the Advanced Encryption Standard (AES) that is recommended by the National Institute of Standards and Technology.
The Resolution Agreements used for this blog, spoke to the overall use of encryption within a covered entity, and the protection of PHI.
So, encrypt or un-encrypt?
Remember to update your policy of Access to Protected Health Information, procedures, along with a new authorization form to be signed, containing a warning for the patients to understand the possible risks of sending their PHI unencrypted. And, don’t forget to train your workforce!
Yes, 2016 is sure to be a year of additional guidance and change within HIPAA.
Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.