My organization utilizes encryption for PHI to satisfy HIPAA encryption requirements, but I've read that we also...
need to provide some sort of proof that devices were encrypted when they are lost or stolen. If that is the case, how exactly do we go about providing proof? Are there any other reporting requirements in this vein we may be missing?
This information probably comes from marketing materials provided by a vendor offering encryption solutions that provide this sort of proof. The HIPAA Omnibus rule does not contain any language that specifically requires covered entities to prove that lost or stolen devices were encrypted. This might be a very liberal interpretation of the rule, but it is not an explicit requirement.
However, I would still recommend encrypting portable devices and retaining evidence. Encrypting devices that contain PHI provides a way to neatly sidestep HIPAA's breach notification requirements if the device is lost or stolen. Quite simply, the loss of a device containing properly encrypted data does not constitute a breach. Of course, that begs the question, what is proper encryption? You should be using a widely accepted algorithm, such as AES, and safeguarding the key so that it is protected from disclosure.
Why retain evidence even if there is not an explicit requirement to do so? Maintaining records that demonstrate the devices were encrypted can unequivocally settle the question in the event of a breach, protecting the organization against lawsuits or regulatory action. The easy way to do this is to implement encryption through a centralized system that allows you to track compliance throughout the enterprise. This may be a standalone encryption product or it may be a capability of the existing system configuration management tool.
Either way, if the systems are well-managed, it should not be a difficult task to maintain those records and get a "get out of jail free" card that you can redeem in the event of a lost or stolen device.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Learn more about the HIPAA Omnibus rule from Mike Chapple
Tips to avoid the annual compliance scramble
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Are nonprofit organizations, like higher education institutions, subject to FTC cybersecurity regulations and oversight? Expert Mike Chapple explains.continue reading
It's important for healthcare organizations to have a clear social media policy. Expert Mike Chapple explains what needs to be in the policy to stay ...continue reading
SOC 2 evaluations can be helpful tools for organizations assessing their HIPAA compliance, but companies should not solely rely on them. Compliance ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.