• To Encrypt or Not Encrypt

  • Encrypt or un-encrypt, that is the question after the Health and Human Services (HHS) came out with their recent guidance on patient rights.

    Last week the Office for Civil Rights (OCR) announced a significant provision in the new guidance dealing with the issue of encryption.

    The guidance includes formalizing a requirement that both covered entities or business associates must provide individuals a copy of their Protected Health Information (PHI) by unencrypted email if the individual requests it to delivered to them through this method.

    In addition, either the covered entity or the business associate must provide a brief warning to the individual that there is a level of risk by which sending unencrypted PHI could cause. Some unauthorized third party could read or accessed their PHI. The guidance further states that the covered entity or business associate must confirm or obtain an acknowledgement that the individual still wants to receive the requested PHI by unencrypted e-mail. If the individual states ‘yes’ the covered entity and business associate must comply.

    Also discussed in this guidance was the handling of paper records. Should the covered entity maintain paper records, then covered entity is expected to scan the paper records into an electronic format to be emailed.

    Jocelyn Samuels, Director of the Department of Health and Humans Services’ Office for Civil Rights, which enforces HIPAA, says the OCR issued this guidance because “unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles in accessing their health information, from entities which are required to comply with the HIPAA Privacy Rule. This must change.”

    There is a history of encryption from both federal agencies: the OCR and the Federal Trade Commission (FTC). In their Resolution Agreements, the need of encryption for PHI is documented.

    A Resolution Agreement in 2013 with Hospice of Northern Idaho, former OCR Director Leon Rodriguez emphasized that the action “sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ information.” Mr. Rodriguez also stressed the importance of encryption, calling it “an easy method for making lost information unusable, unreadable, and indecipherable.”

    In a September 2015 Resolution Agreement, OCR Director Jocelyn Samuels stated “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information. Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

    Recently the FTC fined Dentrix G5 software, a health IT vendor $250,000, for deceptive claims. Dentrix stated that it utilized industry-standard encryption when it actually used a method inferior to the Advanced Encryption Standard (AES) that is recommended by the National Institute of Standards and Technology.

    The Resolution Agreements used for this blog, spoke to the overall use of encryption within a covered entity, and the protection of PHI. 

    So, encrypt or un-encrypt?

    Remember to update your policy of Access to Protected Health Information, procedures, along with a new authorization form to be signed, containing a warning for the patients to understand the possible risks of sending their PHI unencrypted. And, don’t forget to train your workforce!

    Yes, 2016 is sure to be a year of additional guidance and change within HIPAA.

    Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult