News Feature | March 5, 2015

Will HIPAA Require Encryption?

By Megan Williams, contributing writer

HIPAA encryption

You and your healthcare IT clients could be facing even more legislation around healthcare data, and this time, it’s about encryption.

Currently, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act do not contain mandates around encryption, but that may soon change. The Senate Health, Education, Labor, and Pensions committee is rethinking its approach to encryption in their efforts to revisit HIPAA, according to FierceHealthIT.

The legislation is coming up on its 20-year anniversary, and many in the industry feel regulations around encryption don’t properly address the new security threats that are becoming so common in the healthcare sector.

HITECH

The answer to HIPAA’s lack of focus on encryption came in 2009 in the form of the HITECH Act, which, much like today’s Meaningful Use initiatives, placed incentives around encryption, and avoided imposing a rigid solution across the industry. Indiana University law professor, Nicolas Terry told the AP, that it seemed like a reasonable balance at the time, but that recent events may have proven the compromise “unworkable.”

Basically, the industry hasn’t gone for the incentives in big enough ways. Over 40 percent of healthcare employees aren’t using full-disk, or file-level encryption devices at work, according to a Forrester research report, leaving huge segments of the industry vulnerable, just as attacks are increasing, and growth in security-testing concepts like the Internet of Things are taking off.

The current chair of the HIMSS Privacy And Security Policy Task Force doesn’t believe much will happen, though, before the next presidential election.

On a smaller level, states like New Jersey have taken the lead, and enacted legislation requiring health insurance companies to encrypt patient information, according to NJ.com. All insurance companies using data containing personal information must either protect that data by encryption, or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.”

Where Encryption Falls Short

Even with attention from regulators though, only so many holes in your clients’ security systems can be protected.
The recent Anthem breech would likely have still happened regardless of encryption policies, since the hacker in question likely had an administrator ID and password.

Going Deeper

Read more on preventing security disasters for your clients.