This is a question many lawmakers are asking in the wake of the recent Anthem, Inc. debacle which resulted in the unauthorized disclosure of tens of millions of patient files. The Health Insurance Portability and Accountability Act of 1996 outlines both general and specific guidelines for covered entities regarding the security of Protected Health Information (PHI). However, the Health and Human Services (HHS) currently does not require covered entities to implement encryption.
Technically speaking, encryption is an “addressable” element of HIPAA, not a required one. This means covered entities are permitted to determine whether implementation of encryption is both reasonable and appropriate. If it's not, the covered entity must implement an alternative measure that's designed to achieve the same purpose. All of this falls within HIPAA's Security Rule, which governs the way in which covered entities secure their PHI from unauthorized access, use and disclosure.
Does this mean it's OK not to use encryption? It's somewhat of a gray area, as the HIPAA Security Rules gives covered entities the discretion to make this decision. If encryption is deemed reasonable and appropriate, then it should be implemented. If encryption is not reasonable nor appropriate, the covered entity must use an alternative method to secure their PHI.
Investigators found that Anthem, Inc. failed to encrypt its data. However, a spokesperson for the health insurance company said that it wouldn't have helped anyway. The attack on Anthem was attributed to cyber attacks using a system admin's username and password, so encryption wouldn't have prevented the disclosure. Furthermore, the spokesperson claims that Anthem encrypts all of its exported data.
Even so, many lawmakers are still pushing for encryption to be a mandatory requirement of covered entities under HIPAA. Lamar Alexander, for instance, is working with Senator Murray to push for greater security of PHI. “Patients, hospitals, insurers — and all Americans who value the safety and privacy of their sensitive personal information — have a right to be alarmed by reports that their electronic records might be vulnerable to a cyber attack,” said Committee Chairman Lamar Alexander.“I look forward to working with Sen. Murray as we take a serious look at how these types of attacks may be prevented and examine whether Congress can help.”
Do you think encryption should be a mandatory requirement of HIPAA?