HIPAA Doesn’t Require Data Encryption, But You Should
Data Encryption Saves Millions in HIPAA Breach Penalties
Mike Semel, HIT Security
Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez says that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from theNational Institute of Standards and Technology (NIST.)
In 2012 a hospital was fined $ 1.5 million for a doctor’s stolen laptop and a state health department paid $ 1.7 million for a lost backup drive. Had the drives been protected with encryption, which can cost less than $ 150, the losses would not have even been reportable. In addition to the exemption from large fines, with data encryption you will not face the added costs and embarrassment of notifying patients and the media of the data loss.
After a recent settlement with a hospice that paid $ 50,000 for a stolen laptop that contained just 441 patient records, OCR Director Leon Rodriguez said, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Data encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
What is data encryption?