Will HIPAA Require Encryption?

Posted on by

By Megan Williams, contributing writer

You and your healthcare IT clients could be facing even more legislation around healthcare data, and this time, its about encryption.

Currently, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act do not contain mandates around encryption, but that may soon change. The Senate Health, Education, Labor, and Pensions committee is rethinking its approach to encryption in their efforts to revisit HIPAA, according to FierceHealthIT.

The legislation is coming up on its 20-year anniversary, and many in the industry feel regulations around encryption dont properly address the new security threats that are becoming so common in the healthcare sector.

HITECH

The answer to HIPAAs lack of focus on encryption came in 2009 in the form of the HITECH Act, which, much like todays Meaningful Use initiatives, placed incentives around encryption, and avoided imposing a rigid solution across the industry. Indiana University law professor, Nicolas Terry told the AP, that it seemed like a reasonable balance at the time, but that recent events may have proven the compromise unworkable.

Basically, the industry hasnt gone for the incentives in big enough ways. Over 40 percent of healthcare employees arent using full-disk, or file-level encryption devices at work, according to a Forrester research report, leaving huge segments of the industry vulnerable, just as attacks are increasing, and growth in security-testing concepts like the Internet of Things are taking off.

The current chair of the HIMSS Privacy And Security Policy Task Force doesnt believe much will happen, though, before the next presidential election.

On a smaller level, states like New Jersey have taken the lead, and enacted legislation requiring health insurance companies to encrypt patient information, according to NJ.com. All insurance companies using data containing personal information must either protect that data by encryption, or by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.

Where Encryption Falls Short

See the original post:
Will HIPAA Require Encryption?

Related Posts
This entry was posted in $1$s. Bookmark the permalink.