Case Study – HIPAA Encryption Requirements

One of the confusing aspects of HIPAA regulations is the addressable portions. Addressable requirements give entities discretion on how to handle them, but it doesn’t mean that they are optional. They must still be handled in some form. An example is car insurance. The government requires us to carry car insurance if we drive a car. However, it doesn’t mandate how we get the insurance or who we purchase it from. Those are left to us to decide and are addressable. An example of this in healthcare law is the HIPAA Encryption Requirements. In this case study, we will see how not protecting data using encryption cost one Covered Entity a lot of money.

What happened?

The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI)  reported a laptop stolen to the Office for Civil Rights (OCR) in February 2010. The laptop contained the electronically protected health information (ePHI) of 3,621 individuals on it. The laptop was not encrypted. Data included prescription information as well as clinical information on the patients.

What was the result?

OCR performed an investigation and found that MEEI had failed to comply with specific elements of the HIPAA Security Rule. By reviewing MEEI’s Risk Assessment, OCR determined that it wasn’t thorough enough to protect ePHI on portable devices. In addition, the policies and procedures in use did not adequately address how to protect ePHI and restrict access to it on any portable device. However, worst of all, OCR found that this behavior had continued for an extended period of time and showed a disregard for HIPAA compliance at MEEI.

OCR fined MEEI $1.5 million and required a corrective action plan be implemented to address the issues that OCR discovered in their investigation. The program would last for 3 years and would require MEEI to make changes in how it protects and restricts access to ePHI.

“In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices,” OCR Director Leon Rodriguez stated in the HHS press release. “This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

How do the HIPAA Encryption Requirements impact your practice?

When the HIPAA Security Rule was originally created, technology was in a different place. So the statement of “whenever deemed appropriate” was added. This gave allowances for changes in technology over the years. However, this didn’t mean that entities could simply skip it.

Another reason for this is that each entity is different in its network and computer setup. Some entities may not make use of any portable devices and therefore wouldn’t need to encrypt them. But there are other areas that the HIPAA Encryption Requirements can impact your practice. Encryption should be used at any point there is a risk of the data falling into the hands of an unauthorized person. Do you have external backup drives? These need to be encrypted in case they are lost or stolen. In fact, backup drives likely to contain the ePHI for all of the patients in your practice. If you are on a server based EMR, is the server itself encrypted? Is the server in a secure location? Do you use cloud services like Dropbox? The data stored there must also be encrypted.

A final example is ePHI sent through email. This must be encrypted so that only the patient may review the contents of the email.

In the past, this was more difficult. However, Microsoft Windows 10 includes disk encryption built in at no extra charge. Practices can encrypt each workstation or portable Windows device with proper planning and execution. Windows Server 2012 and 2016 also includes encryption capability that can be used to protect data stored on servers and even backup drives connected to them.

Portable devices, like phones and tablets, also have built-in encryption that practices can use.

Because of all of this, there is no reason not to implement proper security for ePHI on all devices in the practice.

Summary

HIPAA Encryption Requirements were designed to protect ePHI that can be lost or stolen from an entity. They often cause confusion because they are addressable and addressable is often thought to be optional. MEEI found out that this wasn’t the case when they had a laptop stolen and it contained ePHI of 3,621 patients on it. OCR found that the entity had not adequately protected the data on their portable devices due to the fact that they were not encrypted. In addition, OCR found that MEEI had done this for a long period of time indicating willful disobedience of the law. This resulted in a $1.5 million fine and 3-year corrective action program.

Make sure you have addressed this for your practice first in your Risk Assessment and then in your policies and procedures. After that, make sure what you have actually done in your practice and what you have in your policies and procedures matches. Doing this could save you from embarrassing and costly ePHI breaches.