HIPAA Rules on Data Encryption Explored by Federal Officials

Late last week the Senate Health, Education, Labor and Pensions committee revealed thathealthcare IT security is to be addressed and that it will “take up the matter as part of a bipartisan review of health information security”. The Associate Press Agency reports thhat Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn, as saying “We will consider whether there are ways to strengthen current protections.”

Last year saw major data violations at Sony Pictures and Target which exposed highly sensitive information about staff members and customers, while the healthcare industry was subjected to a number of breaches including the successful hacking of Community Health Systems in April and June, in which 4.5 million patient records were exposed. The latest incident is on an unbefore seen scale in healthcare, having affected up to 80 million individuals.

The latest breach confirms the FBIs prediction of more attacks on healthcare organizations. Hackers are targeting organizations for the data they store and the relative ease at which that data can be obtained. The threat is clearly not lessening and it is up to the healthcare industry to improve data security to manage safely all healthcare and personal data that it holds.

Currently some areas of privacy and security are voluntary under HIPAA Rules and are left to the best judgment of each covered entity. The Senate Health, Education, Labor and Pensions committee will have to rule whether that needs to change.

Whether Anthem Inc., had put in place sufficient measures to protect data, as required by HIPAA legislation, is a matter for the Office for Civil Rights to determine. The insurer had opted not to use full-disk encryption of its data, although according to a spokeswoman for the company it did use encryption for data in transit.

Last week the insurer revealed that no health information had been taken by the hacker(s), although this does not mean that HIPAA rules have not been violated. On Friday the Department of Health and Human Services’ Office for Civil Rights issued a statement on the issue, amid media speculation as to whether the hack and theft of data was a HIPAA breach.

HIPAA Privacy and Security Rules apply to Protected Health Information, which includes diagnoses, treatments, treatment codes, prescriptions and doctor’s notes, none of which were reportedly taken. However, HIPAA also requires Personal Identifiers to be securely stored, of which the breach exposed many.

The OCR outlined in its statement that “The personally identifiable information health plans maintain on enrollees and members — including names and Social Security numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed.” As such it is “treating the case as a privacy law matter.”

The OCR revealed that it had yet to receive an official breach notification from the insurer although under the HIPAA Breach Notification Rule Anthem has 60 days before it has to advise the HHS.

Such a large scale data breach leads to a number of questions regarding the level of security used to protect healthcare data and personal information and such as whether HIPAA legislation goes far enough to ensure privacy. The huge data exposures affecting the retail and entertainment industries in recent months clearly show the danger posed by hackers.

The Health Insurance Portability and Accountability Act was changed to protect electronic health records and personal identifiers with the passing of the Security Rule, yet serious data breaches are still happening. There are clearly gaps in HIPAA legislation.