No one who has ever had to deal with HIPAA compliance has come away with a direct, measurable understanding of...
what the regulation actually requires. The idea of a HIPAA compliant product or vendor really has no meaning, as the regulation was purposefully left vague.
The HIPAA Security Rule was written in 1996, and was not enforced until mid-2005. The original authors understood that there was no way to account for changing technology in the law, so they left out specific requirements. This lack of specificity has left more than one healthcare provider confused about how to actually comply with the rule, and has fostered a multimillion-dollar compliance consulting industry.
HIPAA is divided into three categories, defined as safeguards, that include administrative, physical and technical controls. The source of most of the confusion is how HIPAA defines the satisfaction of the standards set by these safeguards. These details are called HIPAA implementation specifications, and they are defined as either required or addressable. It sounds simple enough, but many consultants and compliance officers incorrectly interpret these definitions.
Required HIPAA implementation specifications are fairly obvious, in that the healthcare provider must implement the rule as specified. A disaster recovery plan is an example of a required specification under the HIPAA Security Rule.
The addressable specification allows the organization to make a decision about how to implement the rule based on a risk assessment. Addressable does not mean that the specification is optional. This is where many organizations make a mistake because encryption of data at rest is an addressable specification.
Encryption is not a required specification, but an organization must conduct a risk assessment to determine the risk to patient information and to decide whether encryption is required.
To further cloud the issue, the U.S. Department of Health and Human Services (HHS) states on its website that encryption is not mandatory in the HIPAA Security Rule if the implementation of encryption is not "reasonable and appropriate." However, there are no details about what HHS considers reasonable and appropriate; the organization must document that decision and implement an equivalent alternative measure.
The problem with this statement is that equivalent alternative measures to encryption don't really exist, or are simply not as effective in reducing risk.
On another page on the HHS website, it defines this requirement as the ability to "render unsecured, unprotected health information unusable, unreadable, or indecipherable to unauthorized individuals." The HHS guidance goes on to state that this requirement is only met through "the use of an algorithmic process to transform the data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." This sounds like the very definition of encryption, and there are no alternative measures that meet this standard. This begs the question: Is encryption really an addressable implementation specification?
Violations of HIPAA implementation specifications
The Office for Civil Rights (OCR) is charged with enforcing HIPAA through responding to complaints and performing random audits. Although HIPAA does allow for monetary penalties, most organizations agree to expensive settlements instead because, as a result, they do not have to admit guilt for the violation, which would open up the doors to further litigation.
A compliance review of Concentra Health Services started after the report of a stolen, unencrypted laptop from their physical therapy center in Missouri. The OCR found that a risk assessment for the implementation of encryption had been completed, and that Concentra knew that unencrypted laptops posed a threat to patient information. They had started to deploy encryption, but it wasn't complete by the time the OCR began its review. The OCR also stated there were insufficient security management processes in place, which contributed to the breach. The total penalty included in the settlement for the lack of encryption on a stolen laptop was $1,725,220.
Encryption is technically an addressable implementation specification, but organizations that are required to comply with HIPAA should consider it a requirement. The cost of the Concentra settlement, along with the definitions on the HHS website, don't lead to any other conclusion.
Encryption is free in 2017, as it is included in all of the major operating systems. There is no excuse for organizations to not implement some type of encryption of data at rest. Those organizations that don't adopt encryption could potentially be putting their businesses at risk.
Read about the responsibilities of HIPAA business associates and OCR
Find out how risk assessments can help you prepare for the OCR's HIPAA audits
Check out OCR guidance about patient health information access under HIPAA