My organization utilizes encryption for PHI to satisfy HIPAA encryption requirements, but I've read that we also need to provide some sort of proof that devices were encrypted when they are lost or stolen. If that is the case, how exactly do we go about providing proof? Are there any other reporting requirements in this vein we may be missing?
This information probably comes from marketing materials provided by a vendor offering encryption solutions that provide this sort of proof. The HIPAA Omnibus rule does not contain any language that specifically requires covered entities to prove that lost or stolen devices were encrypted. This might be a very liberal interpretation of the rule, but it is not an explicit requirement.
However, I would still recommend encrypting portable devices and retaining evidence. Encrypting devices that contain PHI provides a way to neatly sidestep HIPAA's breach notification requirements if the device is lost or stolen. Quite simply, the loss of a device containing properly encrypted data does not constitute a breach. Of course, that begs the question, what is proper encryption? You should be using a widely accepted algorithm, such as AES, and safeguarding the key so that it is protected from disclosure.
Why retain evidence even if there is not an explicit requirement to do so? Maintaining records that demonstrate the devices were encrypted can unequivocally settle the question in the event of a breach, protecting the organization against lawsuits or regulatory action. The easy way to do this is to implement encryption through a centralized system that allows you to track compliance throughout the enterprise. This may be a standalone encryption product or it may be a capability of the existing system configuration management tool.
Either way, if the systems are well-managed, it should not be a difficult task to maintain those records and get a "get out of jail free" card that you can redeem in the event of a lost or stolen device.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Learn more about the HIPAA Omnibus rule from Mike Chapple
Tips to avoid the annual compliance scramble
Dig deeper on HIPAA
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.