The Health Information Technology for Economic and Clinical Health (HITECH) Act stipulates that health care organizations,...
health plans, other covered entities and their business associates are required to issue notifications of any data breach involving personal health information (PHI). However, the act also applied an exemption, or safe harbor, for information that is "rendered unusable, unreadable or indecipherable."
Six months after the HITECH Act, the U.S. Department of Health & Human Services issued a rule. As summarized by HHS, the breach notification interim final rule indicates that "[e]ntities subject to the HHS and [Federal Trade Commission] regulations that secure health information as specified by the guidance through encryption or destruction are relieved [exempt] from having to notify in the event of a breach of such information." That rule went into effect in September 2009.
Since then, nearly 250 data breaches involving the loss of data from 500 or more patients have been reported to HHS. Most of the reported data breaches were unintentional, caused by the loss of PCs, laptops or storage media with unencrypted PHI.
If PHI encryption is the only safe harbor in the eyes of the law, why aren't health care organizations doing all they can to achieve it?
Our series on PHI encryption
How PHI encryption helps hospitals achieve safe harbor
Most health care CIOs will tell you cost makes PHI encryption difficult. I don't buy that. For starters, there are many freeware encryption software packages available, so it's very reasonable for any health care institution to encrypt PHI data on its entire PC inventory. Even if an institution did purchase a software encryption package, it would be far less costly than paying a fine for a data breach. Encrypting 1,000 laptops at $50 per license seat for a standard encryption license comes to $50,000. Under federal law, institutions can be fined as much as $50,000 per information breach.
Some CIOs will tell you they need more time to complete enterprise-wide PHI encryption. This is a better -- or at least a more accurate -- excuse. It took my organization four months to deploy an entire disk software encryption system for 6,000 personal computers and laptops. We performed this task aggressively because we believed it was the correct thing to do to protect the PHI data if a laptop or PC was stolen. We used highly rated encryption software that provided central management. Most of this work was performed transparently, without affecting end users.
How does PHI encryption provide safe harbor?
Almost 40 years ago, the federal government instituted an anti-kickback law to protect patients and federal health care programs against fraud. Under the law, "knowingly and willfully" receiving or paying money to influence the referral of federal health care program business, including Medicare and Medicaid, is a felony punishable by as much as five years in prison, fines of as much as $25,000, administrative penalties of as much as $50,000, and exclusion from federal health care programs.
The law's broad scope raised many issues with health care providers, who believed that some standard clinical activities would be prohibited by the anti-kickback law. In 1987, Congress designated specific safe harbors for various business practices that had been prohibited by the anti-kickback law.
Now, if any of our PC systems are stolen, our health care institution will be exempt because we can prove that the entire disk was encrypted and its data had been rendered "unusable, unreadable or indecipherable." I consider any PC encryption software valuable insurance against PHI breaches and worth the money spent.
PHI encryption strategy must include hardware, peripherals
The best place to begin is with encrypting hardware that's at high risk of loss or theft. Lost and stolen PCs pose the greatest threat for exposing health care organizations' PHI. In our technologically advanced mobile society, laptops are stolen every hour of every day, and the data on these laptops is potentially more valuable than the hardware itself.
The smartest thing a health care CIO can do is hardware-encrypt all the laptops and PCs in his organization. This will reduce the risk of stolen medical record information. When -- not if -- the laptop is stolen, the medical information on the stolen system will be unusable.
Don't forget peripheral devices when PC hardware is encrypted. This includes USB drives, thumb drives, memory sticks, CDs and DVDs. In June 2010, for example, the Lincoln Medical and Mental Health Center in New York City had to notify more than 130,000 patients that their PHI might have been breached when a billing contractor shipped seven CDs full of unencrypted data and the CDs were lost in transit. The institution's remediation process probably will be very costly.
For encrypting hardware on PCs, here are a few basics:
- Hardware-encrypt the PC's entire disk drive, not just the data area.
- Encrypt all peripheral devices.
- Use 128-bit encryption or higher.
- Use an encryption product that provides two keys: one for systems administrators and one for users.
- Use an encryption product that can be centrally managed.
- Secure the encryption keys separate from the PC and peripheral devices.
PC encryption gets health care CIOs one step closer to a good night's sleep, free of worries about the loss of PHI. The work should not stop there, however. Fortunately, it's not difficult to deploy an encryption strategy at multiple layers within a health care organization's system for electronic health records.
Al Gallant is the director of technical services at Dartmouth-Hitchcock Medical Center in Lebanon, N.H. Let us know what you think about the story; email firstname.lastname@example.org.