HIPAA Compliance Strategies

Featured Health Business Daily Story July 17, 2009

The Encryption of Patient Health Records Is Crucial With New Laws and Growing Patient Desire to E-mail Their Physicians

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

With the use of health information technology and electronic health records expanding rapidly — and the knowledge that security breaches must now be reported to the government and the media — health care organizations now have greater incentive than ever to encrypt data, experts tell RPP.

Covered entities (CEs) that have been communicating with patients through e-mail or their Web sites, or that will soon be hooked up to a health information exchange, should be taking a close look at their encryption policies.

The security breach notification provision of the HITECH Act requires that CEs notify affected individuals, the government and the media following a breach of unsecured information. But providers don't have to report breaches if protected health information (PHI) is rendered unusable through encryption or destruction, according to HHS guidance released in April.

One way PHI is vulnerable is when it is in motion through a network, including wireless transmission, the guidance says. This would include sending information electronically by e-mail or using the Internet. The information would be protected if it is encrypted using the requirements set out in Federal Information Processing Standards (FIPS) 140-2, HHS says.

"The bottom line is there is no excuse anymore" for not encrypting PHI, says Chris Apgar, president of Apgar and Assoc., an information security consulting firm. "There is a significant risk associated with not securing data from both a regulatory and legal perspective. If I were a doctor, I would not want to put myself in a position where I am inappropriately releasing data," he says.

When the security rule was published in 2003, encryption was "addressable," which meant CEs had to use something comparable or have a good reason why they weren't encrypting, Apgar explains. One excuse given back then was that not everything was interoperable. "The interoperability issue is not the case today," he says. "If you have a Web browser, it doesn't matter what kind; if you have a mail box, the people receiving an e-mail don't have to install anything on their device" to communicate with you, he points out.

Expense also isn't an issue anymore. "You need to secure that information, and there are tools on the market that range from $100 per person per year to hundreds of thousands of dollars for big organizations. Some are very expensive, but it makes a lot of sense for some organizations to do that rather than spending $100 per person," he says. "If you have a small office with three people who have to send information, the cost is $300 — how do you justify" not buying those tools?

And now with the HITECH Act provisions, one unprotected e-mail containing PHI could subject a CE to legal liability, and the CE can expect "potential damage to the business." Also, he adds, "If you have a patient sign a waiver saying they know there is a risk, it doesn't relieve the provider from securing that message. If there is a breach, it is still a breach and [the CE has] to notify" anyone involved [and possibly HHS and the media].

Who Is Encrypting E-mail?

While health care providers report using several kinds of security tools to protect patient information in electronic formats, many still are not encrypting e-mail, according to a survey released late last year by the Health Information Management Systems Society (HIMSS) and sponsored by Booz Allen Hamilton. About 25% of the respondents said they allow patients to access information in an electronic format (either through a secure Web site or through e-mail) for financial/insurance information, lab results, scheduling information or sometimes more detailed clinical information.

Only about 55% of respondents to the HIMSS survey said they are encrypting e-mails. But 81% said they have wireless security protocols, and 71% said they use other forms of data encryption. However, 28% of the respondents reported that they will be purchasing e-mail encryption in the future.

Lisa Gallagher, senior director of privacy and security at HIMSS, says the organization does not yet have hard data on how many providers are using e-mail to communicate with patients, but that it is something HIMSS is looking at for the next survey, due out in October. "Things have really changed drastically in the past year because of the stimulus bill, the recent [HHS] guidance and upcoming rulemaking," she says.

"We are walking down the path of encryption being a best practice," Gallagher continues. "I hear a lot of general complaining about the cost and implementation, but the industry should be considering encryption to be a best practice and should be implementing it now," she says.

Many physicians are probably not encrypting e-mail, and many are not e-mailing directly with patients because of it, says attorney Jud DeLoss, who is now the chair of the health information and technology practice group of the American Health Lawyers Assn. "These are not the sophisticated users who would do that….It is not safe to communicate through e-mail; therefore they're not doing it at all," he says.

Is this an Achilles heel for CEs? That depends on what the information is and what the organization is doing with it, DeLoss says. But providers should start encrypting now, he contends. "With the theft and loss of so much information, this is a situation in which there are potentially financial and other damages in the picture. This is a public relations issue, and so much has gone on that I don't see how [a provider] could avoid penalties or a civil law claim," he says.

Consumers have said in surveys that communicating with physicians and health care organizations in an electronic format is something they want. According to the 2009 Survey of Health Care Consumers released in April by the Deloitte Center for Health Solutions, 57% of consumers who responded want a secure Web site to access their medical records, schedule office visits, pay bills and refill prescriptions. And 42% want access to an online personal health record connected to their doctor's office. Also, more than half of respondents (55%) want to be able to communicate with their physicians via e-mail.

But 38% are "very concerned" about privacy and security versus 24% who are not at all concerned, according to the survey. And 60% of the respondents said the government should set standards for how PHI is collected, stored, exchanged and protected.

Advertise With AIS

Privacy

Site Map