HIPAA Rules on Data Encryption Explored by Federal Officials

by | Feb 11, 2015

Late last week the Senate Health, Education, Labor and Pensions committee revealed thathealthcare IT security is to be addressed and that it will “take up the matter as part of a bipartisan review of health information security”. The Associate Press Agency reports thhat Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn, as saying “We will consider whether there are ways to strengthen current protections.”

Last year saw major data violations at Sony Pictures and Target which exposed highly sensitive information about staff members and customers, while the healthcare industry was subjected to a number of breaches including the successful hacking of Community Health Systems in April and June, in which 4.5 million patient records were exposed. The latest incident is on an unbefore seen scale in healthcare, having affected up to 80 million individuals.

The latest breach confirms the FBIs prediction of more attacks on healthcare organizations. Hackers are targeting organizations for the data they store and the relative ease at which that data can be obtained. The threat is clearly not lessening and it is up to the healthcare industry to improve data security to manage safely all healthcare and personal data that it holds.

Currently some areas of privacy and security are voluntary under HIPAA Rules and are left to the best judgment of each covered entity. The Senate Health, Education, Labor and Pensions committee will have to rule whether that needs to change.

Whether Anthem Inc., had put in place sufficient measures to protect data, as required by HIPAA legislation, is a matter for the Office for Civil Rights to determine. The insurer had opted not to use full-disk encryption of its data, although according to a spokeswoman for the company it did use encryption for data in transit.

Last week the insurer revealed that no health information had been taken by the hacker(s), although this does not mean that HIPAA rules have not been violated. On Friday the Department of Health and Human Services’ Office for Civil Rights issued a statement on the issue, amid media speculation as to whether the hack and theft of data was a HIPAA breach.

HIPAA Privacy and Security Rules apply to Protected Health Information, which includes diagnoses, treatments, treatment codes, prescriptions and doctor’s notes, none of which were reportedly taken. However, HIPAA also requires Personal Identifiers to be securely stored, of which the breach exposed many.

The OCR outlined in its statement that “The personally identifiable information health plans maintain on enrollees and members — including names and Social Security numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed.” As such it is “treating the case as a privacy law matter.”

The OCR revealed that it had yet to receive an official breach notification from the insurer although under the HIPAA Breach Notification Rule Anthem has 60 days before it has to advise the HHS.

Such a large scale data breach leads to a number of questions regarding the level of security used to protect healthcare data and personal information and such as whether HIPAA legislation goes far enough to ensure privacy. The huge data exposures affecting the retail and entertainment industries in recent months clearly show the danger posed by hackers.

The Health Insurance Portability and Accountability Act was changed to protect electronic health records and personal identifiers with the passing of the Security Rule, yet serious data breaches are still happening. There are clearly gaps in HIPAA legislation.



Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy