HIPAA standards are classified as either “required” or “addressable.” Data encryption is an addressable standard. It’s not “required” but that doesn’t mean it’s optional!
According to “Health and Human Services“, health care providers can choose not to implement addressable standards if the standard would be unreasonable or inappropriate. However “and this is critical” the choice must be documented.
There are certain situations where a provider could determine that it is not reasonable or appropriate to encrypt health records sent over email. For example, if the sender and the recipient are each connect securely to the same email server, document encryption may not be necessary. Emails and documents in a situation like this would never be sent over the open internet and adequate security could be achieved by the standard transmission security built into any modern email client.
Documentation is the key
But where a provider chooses not to implement an addressable standard, it is critical that the decision be documented and supported by a recent risk analysis. According to HHS:
Covered entities must consider the use of encryption for transmitting EPHI, particularly over the Internet. As business practices and technology change, situations may arise where EPHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.
It is important that decisions about addressable standards be re-visited at least annually. Cybercrime threats grow more sophisticated daily, and defensive tactics also mature and become easier to implement. What may have been a burdensome and unreasonable precaution six months ago might today have matured to become an industry-standard best practice.
The first thing an investigator will look for
The Federal Office of Civil Rights is reportedly investigating New Mexico’s decision to send patient health records by unencrypted email. The very first thing investigators will want to see is a written risk assessment and policy justification for not encrypting documents in transfer.
Too many small healthcare providers are running the risk of a HIPAA audit without even having a risk assessment and written security policy. When this happens, consequences can be dire. A two-physician practice in Idaho was “recently fined $50,000” for a privacy breach and failure to maintain a written security policy.
Solutions for small healthcare providers
Matterform Media mitigates these threats for small healthcare providers in Albuquerque.
We offer security audits to analyze a provider’s entire Line of Business and identify security weaknesses that run afoul of HIPAA. After preparing a detailed risk assessment, we schedule remediation according to risk priorities and the client’s budget. For more information, contact Matterform CEO Michael Herrick at firstname.lastname@example.org.