More than 19 million Americans have been affected by a health care data breach since September 2009, when tougher HIPAA compliance laws went into effect after the HITECH Act passed.
Under the HITECH Act, HIPAA covered entities and business associates must disclose any health care data breach that has affected more than 500 people. According to Gov Info Security, nearly 400 such incidents have been reported.
More than half of these incidents, 55%, involved lost or stolen electronic devices that had not been encrypted. While the HITECH Act does not explicitly require the use of encryption technology, it does state that the loss of data that has been encrypted does not constitute a data breach. In other words, data loss is not hard to prevent.
An effective enterprise encryption strategy should include software, databases and networks in addition to protected health information itself and mobile devices. It also helps to have a social media policy in place to avoid the embarrassment of a health care data breach on Facebook. Such a breach is unlikely to meet the 500-victim threshold for reporting to the U.S. Department of Health and Human Services, but the negative publicity could be just as damning.