Encryption technology and solutions are becoming less expensive and easier to use and should increasingly be employed by healthcare organizations of all sizes, according to a top U.S. Department of Health and Human Services (HHS) healthcare privacy official.
Encryption protects proprietary information from hackers and protects organizations from heavy regulatory fines and other penalties in the event of a data breach, said David Holtzman, health information privacy specialist at HHS’s Office for Civil Rights (OCR).
OCR is responsible for enforcing security and privacy rules mandated by the Health Insurance Portability and Accountability Act (HIPAA). Holtzman made the remarks at the recent Global Privacy Summit in Washington, D.C., sponsored by the Independent Association of Privacy Professionals.
OCR data shows that the loss and theft of laptops and portable electronic devices is one of the most common ways that proprietary data ends up in the wrong hands. But if the data is encrypted, it’s unlikely that the data can be accessed; thus, security and privacy will not be compromised.
HIPAA does not require healthcare organizations to use encryption, but during a question and answer section of the presentation, Holtzman said that it’s becoming more important to use. “Maybe the needle is beginning to shift” toward having encryption become more of a necessity, he said, “because these technologies are becoming more accessible and more affordable.” He added, however, that he was voicing a personal opinion, not speaking in an official legal capacity for the OCR.
Healthcare organizations that fail to protect sensitive healthcare data can be subject to large fines and other penalties. In March, for example, OCR announced the first enforcement action resulting from a new breach self-report mandate required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HITECH, passed in 2009, was meant to supplement security and privacy provisions in the HIPAA. In the enforcement action, Blue Cross Blue Shield of Tennessee agreed to pay HHS $1 million to settle potential violations of HIPAA’s privacy and security rules after the company filed a report informing HHS that 57 unencrypted computer hard drives, containing sensitive health information on more than one million people, had been stolen.