All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News


Keep up to date with Data Fast Solutions for your business.

Encrypting HIPAA Data to Avoid Hefty Fines

HIPAA Data EncryptionAccording to, the use of encryption is not mandatory, it is “addressable” rather than “required”. However, a Health and Human Services administrative law judge (ALJ) recently ruled that the University of Texas M.D. Anderson Cancer Center must pay 4.3 million in fines for failure to safeguard patient information on unencrypted devices. According to Health Leaders Media, M.D. Anderson made the decision to encrypt all devices in 2008, but by 2013 had still not done so. The breaches were reported by M.D. Anderson to OCR in 2012 and 2013 and involved an unencrypted laptop, which was stolen, and two unencrypted thumb drives which were lost. The laptop contained electronic protected health information (ePHI) of more than 29,000 people while both thumb drives contained ePHI of 5,800 people combined. M.D. Anderson plans to appeal the decision.

This recent ruling is a reminder that implementing new ePHI policies in healthcare organizations and covered entities must be done expeditiously. A vital factor in securing ePHI is fully utilizing encryption. It is a crucial link in security which can thwart hackers and thieves, yet so many in healthcare have yet to adopt it. Why it is not used more extensively is not fully known. Affordable encryption technology has been available for quite some time. It can be complicated for those not well-trained in implementing it. However, it is now more apparent that an administrative law judge would not view any excuses for lack of encryption as viable for leaving ePHI vulnerable. So, putting together a plan for encryption and implementing that plan quickly is important to do before a breach can take place.

HIPAA Encrypted Hard DiskThe National Institute of Standards and Technology (NIST) has published, Guide to Storage Encryption Technologies for End User Devices. This guide can give IT and security personnel at healthcare organizations, or their covered entities, excellent information on encryption. It can provide “real-world guidance for three classes of storage encryption techniques: full disk encryption, volume and virtual disk encryption, and file/folder encryption. It also discusses important security elements of a storage encryption deployment, including cryptographic key management and authentication.” While this guide only discusses the encryption of data at rest, not the encryption of data that is transmitted, it can be a good way to educate healthcare entities on how to plan, implement, and maintain storage encryption solutions.

Implementing encryption is not an easy task for small or large healthcare offices alike. Using guides like the one published by the NIST is a good start but making sure to utilize IT companies with encryption experts can make the process much easier. Those trained in encryption can make sure that if a HIPAA data breach occurs, no ePHI will be vulnerable. If M.D. Anderson would have fully implemented their decision to encrypt their devices in 2008, they would not be faced with a 4.3 million dollar fine.

From planning to implementation and on-going support, an IT company like Data Fast Solutions can make sure your encryption plan is rolled out effectively. Contact Data Fast Solutions for more information today!

This article is ©2018 Data Fast Solutions • All Rights Reserved