At HCCA’s 2018 Compliance Institute, Iliana Peters, formerly of the OCR and now with the Polsinelli law firm, commented that not encrypting is “less and less persuasive.” In other words, it is increasingly harder to justify a decision not to encrypt electronic protected health information (ePHI).
This is welcome input, considering that encryption is “addressable,” but not “required” under the HIPAA Security Rule.
Addressable safeguards require covered entities and business associates to:
- Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
- As applicable to the covered entity or business associate—
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate— (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate.
45 CFR 164.306(d)(3).
But when it comes to encryption, the line has been moving since the HIPAA Security Rule was originally implemented. Fifteen years ago, it was common – and perhaps more “persuasive” – to make the argument that encryption was cost prohibitive, and therefore not “reasonable and appropriate.” As time went on, the likelihood of ePHI being compromised increased—partly because there is more ePHI; partly because there is more demand for ePHI on the black market; and partly because hackers have more sophisticated methods of illegally obtaining ePHI. At the same time, encryption options have become plentiful and more affordable.
It comes as little surprise, then, that we are seeing more HIPAA settlements and enforcement involving unencrypted ePHI. For example:
And last but not least, on June 18, 2018, the OCR announced that an HHS Administrative Law Judge (ALJ) ruled that MD Anderson violated the HIPAA Privacy and Security Rules when it failed to encrypt its electronic devices, despite identifying encryption as a high security risk.
It is noteworthy that the ALJ rejected MD Anderson’s argument that it was not required to encrypt its devices. The ALJ stated:
The regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this context is interpreted to mean some mechanical feature that renders these devices physically impossible to enter by any persons who are not authorized users. But, these regulations require covered entities to assure that all systems containing ePHI be inaccessible to unauthorized users. 45 C.F.R. § 164.306(a); 45 C.F.R. § 164.312(a)(1). · These regulations give considerable flexibility to covered entities as to how they protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be effective. Respondent failed to comply with regulatory requirements because it failed to adopt an effective mechanism to protect its ePHI.
For covered entities and business associates who have not encrypted – perhaps because it is not “required” under the Security Rule - there are mounting indications from the enforcers that opting not to encrypt is, in the words of Ms. Peters, “less and less persuasive.”