HIPAA/HITECH security rules (45 CFR Part 160, 162, 164) do not provide a prescriptive requirement for encryption of healthcare information. As long as the data is in the control of the provider, electronic private health information (ePHI) does not have to be encrypted. If a provider loses a disk or laptop with ePHI and it is encrypted, the loss is not considered a reportable incident to the Department of Health and Human Service’s Office for Civil Rights (HHS/OCR). PHI loss disclosure guidelines provide a sort of “get out of jail free card” for healthcare providers that lose encrypted ePHI data, and help to avoid potentially significant fines.
NOTE: A reportable incident is not the loss of health information. It is the loss of patient identifiable health information. For this reason, most hospital information systems (HIS) and electronic medical record (EMR) systems encrypt the patient key in the database, thus making the private health information on a data center disk “de-identified” even if the entire data center disk drive is lost.
Although a low risk, encrypting JBOD or RAID 10 devices is not a bad decision for most healthcare providers. However, Sirius healthcare security consultants believe that encryption of RAID 5/6 devices offers a very low return on investment and work effort. If the client HIS/EMR encrypts the patient key, then data center disk encryption is generally not a justifiable expense. That is why only a small fraction of U.S. healthcare providers encrypts data center disks today.
On the other hand, portable systems and media are at far greater risk of a reportable incident than a data center disk drive. Thus, the first encryption efforts for a healthcare provider should be in the area of desktops, laptops, tablets, and removable media such as thumb drives. Also, management of end-point devices using products such as IBM Tivoli Endpoint Manager provides significant value to the security posture of healthcare organizations.
It pays to be careful, informed and aware of the facts so you know you’re spending your limited resources wisely and providing cost-effective delivery of healthcare services to the community.
For more detail on HIPAA/HITECH, PHI encryption, and HHS/CMS/OCR enforcement, see:
For more information about Sirius solutions for the healthcare industry, and security and compliance, see: