For now, providers have two choices under a new healthcare data privacy and security law: data encryption or breach notification.
But HHS also opened the door for future discussion of a possible third choice, using partial de-identification of patient data as a substitute for encryption. It is an alternative that privacy advocates say would take a hard-won legislative victory for privacy protection and turn it on its head.
All of these options and controversies were set up in the mere 20 pages of guidance and request for comment on data breach requirements HHS issued April 17.
The guidance describes the technologies and methodologies that can be used to render patient-identifiable medical records and data unusable, unreadable or indecipherable to unauthorized users, a phrase already forcing its way into the healthcare IT lexicon taken straight from the American Recovery and Reinvestment Act of 2009.
HHS guidelines address the four states of data vulnerability: storage, use, transmission and destruction. They also specifically mention standards for encryption and destruction as suitable for meeting stimulus requirements. The guidance applies to hospitals, physician offices and other so-called covered entities under the Health Insurance Portability and Accountability Act of 1996.
HHS says that while providers and other handlers of sensitive patient health information are not required to follow the new data security guidelines, the specified methods and technologies, if used, create the functional equivalent of a safe harbor, eliminating the stimulus requirement to provide affected patients any notification in the event of a data breach.
The guidance also outlines the steps needed to be taken under the stimulus package if unprotected data are breached. While HHS provided no estimate of the number of provider organizations where data breaches now occur or any estimates of the breach-notification costs they might incur under the new stimulus rules, the Federal Trade Commission, in preparing its own proposed rule on breach notification for personal health-record vendors, did come up with some regulatory impact projections.
In its April 16 publication, the FTC estimated that personal health record-related companies would each average 11 data breaches per year. Their data-breach notification costs would average $1 million a year apiece, the FTC estimates. But neither the FTC nor HHS estimated the cost to a providers reputation if a data breach made it the subject of that days top story in the local news media.
Despite all the hassles of breach notification, a safe harbor under the stimulus law still could be a mixed blessing to providers, and an expensive alternative, according to privacy and security experts contacted for this story.
Incorporating the most obvious technological fixdata encryptionwont be free or easy, according to Dave Miller, chief security officer for Covisint, a Detroit-based healthcare IT network services provider.
The new stimulus rules and HHS guidelines will be raising the bar on security, Miller said. I think its going to be a fairly large expense for the industry.
Michael Mac McMillan, CEO and co-founder of CynergisTek, an Austin, Texas-based healthcare information security and compliance consultancy, agrees that the heightened security requirements of the stimulus act will present some real challenges for some of our hospitals.
Encryption is still not a universally implemented technology control in healthcare, particularly for data at rest, McMillan said.
Because of the varied technologies available and because the government hasnt gone through its rulemaking process yet, McMillan said its difficult to estimate the cost of encryption for healthcare providers. I think its safe to say, pending an understanding of the final requirements levied, that this may not be inconsequential for small entities, he said.
Miller said he figures a lot of people will say the stimulus dollars should be spent on this, but some provider organizations, particularly smaller ones, will take the risk, and do nothing, figuring, were going to do the best we can and cross our fingers.
Miller also said that the new requirements will likely touch off another information technology arms race in the healthcare industry.
There will be a competition, Miller predicted. Vendors will say, Let me tell you why the way we store information is better. Thats the capitalist system we work in.
Lisa Gallagher, senior director of privacy and security at the Chicago-based Healthcare Information and Management Systems Society, pointed out this day of reckoning with encryption has been a long time coming. According to Gallagher, HIPAA required covered entities to perform a risk assessment and secure patient-identifiable information accordingly, but kicked encryption down the road for more than a decade by not mandating its use.
Encryptionsophisticated encoding and decoding of information using highly complex software keys to lock and unlock the datais standard practice in other industries, such as Internet commerce and Voice over Internet Protocol phone services.
It is not, Gallagher said, ubiquitously used in healthcare, and particularly not for protecting data in storage, although it is more commonly used for data in transmission. The HIPAA security rule didnt mandate encryption, but it certainly suggested it be considered in your risk analysis, Gallagher said. So, the recent tightening of federal rules to more strongly encourage, if not mandate, encryption, is not news, she said.
Those who arent doing it, they are not acknowledging the risk that they have, Gallagher said. Yes, its expensive, but it is the cost of doing business. I dont think there is anything out of the ordinary here or onerous. They have to do encryption. I think we need to come to grips with that.