My organization utilizes encryption for PHI to satisfy HIPAA encryption requirements, but I've read that we also...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
need to provide some sort of proof that devices were encrypted when they are lost or stolen. If that is the case, how exactly do we go about providing proof? Are there any other reporting requirements in this vein we may be missing?
This information probably comes from marketing materials provided by a vendor offering encryption solutions that provide this sort of proof. The HIPAA Omnibus rule does not contain any language that specifically requires covered entities to prove that lost or stolen devices were encrypted. This might be a very liberal interpretation of the rule, but it is not an explicit requirement.
However, I would still recommend encrypting portable devices and retaining evidence. Encrypting devices that contain PHI provides a way to neatly sidestep HIPAA's breach notification requirements if the device is lost or stolen. Quite simply, the loss of a device containing properly encrypted data does not constitute a breach. Of course, that begs the question, what is proper encryption? You should be using a widely accepted algorithm, such as AES, and safeguarding the key so that it is protected from disclosure.
Why retain evidence even if there is not an explicit requirement to do so? Maintaining records that demonstrate the devices were encrypted can unequivocally settle the question in the event of a breach, protecting the organization against lawsuits or regulatory action. The easy way to do this is to implement encryption through a centralized system that allows you to track compliance throughout the enterprise. This may be a standalone encryption product or it may be a capability of the existing system configuration management tool.
Either way, if the systems are well-managed, it should not be a difficult task to maintain those records and get a "get out of jail free" card that you can redeem in the event of a lost or stolen device.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Learn more about the HIPAA Omnibus rule from Mike Chapple
Tips to avoid the annual compliance scramble
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.