Encryption anon – yep it’s a bee in the bonnet!

The HITECH Act and Encryption

Does the Health Information Technology for Economic and Clinical Health (HITECH) Act require you to encrypt electronic health records?† There has been heated discussion about this one.† To get to the bottom of the HITECH Act encryption issue, letís use the time honored technique of answering one question with another:

ìDo you have a lot of money you don’t need?î

If you answered yes to this question, don’t worry about encryption or the HITECH Act.† But unless you have millions of dollars to throw away, you should encrypt all the personal health information under your care, custody and control.†† Also encrypt the information you entrust to anyone else.

In April 2009, the U.S. Department of Health and Human Services (HHS) announced guidance which spells out which encryption and destruction methodologies it approves of.† When properly used, these methods will eliminate the need for notification in the event of a breach.

The HHSís HITECH guidance says that there are two ways you can make personal health information (PHI) unreadable, unusable or indecipherable to someone who has breached your system’s security ñ encryption and destruction.

Encryption uses a mathematical algorithm (formula) to make data unreadable.† To someone without the key to decrypt data, it’s just a bunch of† gibberish.† If you use strong encryption and make sure the decryption keys are safe, you wonít have a breach if someone hacks your system and steals personal data.

Destruction is a little more straightforward.† Destroy your paper and electronic records completely.† Remember:† you can’t just delete electronic documents because they are still there after deletion ñ they’re just hidden.

HHS got together with the National Institute of Science and Technology (NIST) to determine that encryption and description would be covered in the HITECH act.† These were both considered sufficient to protect each of the following four classes of information:

Data At Rest ñ Data at rest is data in a database or structured storage system that is basically just sitting there.† Patient medical records or insurance reimbursement information could easily be data at rest.† The guidance refers readers to NIST publication 800-111.

Data in Motion ñ Data in Motion is data that is moving through a network, including being transmitted wirelessly.† Data in motion can be protected by following NIST’s FIPS 140-2 standards and using FIPS 140-2 compliant encryption software.

Data Disposed ñ This is data that has been destroyed or recycled. The guidance refers to NIST special publication 800-88.

Data in Use ñ This is data that is being created, deleted, updated or retrieved.† This class of data is protected by the methods outlined in the other three classes listed above.

If you follow the requirements as described in the guidance and NIST publications, you’ll have the equivalent of a safe harbor in the event of a security breach.† You should not be subject to the breach notification requirements spelled out in HITECH.† As other postings in this blog highlight, the costs and penalties associated with a breach of unsecured data can be quite high.† The resulting required notifications can run into the millions of dollars.† And don’t forget the potential damage to your reputation and compromise of the trust your patients have in you.

On August 19^th, HHS published its interim final regulations covering both breach notification and an update of their April 2009 HITECH guidance regarding encryption and destruction of data.

While the blogosphere may be all atwitter over the answer to the question of encryption, we don’t even think there is a question here to answer.† Like Nike says… just do it.

Disclaimer: The author of this article is not an attorney, and the content of this post should not be construed as either a legal opinion or legal advice.

Rich Silverman
PC Healthstop Blogging Team

MICROSOFT HEALTH VAULT – an application in need of adaptation, rejigging, reworking, and because it’s Microsoft would be interface familiar.

Microsoft HealthVault, which launched in October 2007, is a free personal health record (PHR) service offered by Microsoft that allows individuals to store personal health and fitness information in a central location. The Web-based service is available to anyone with a Microsoft account.

Once logged in, users enter basic health information (such as allergies, medical conditions, family health history, and current medications), emergency contact information and a variety of measurements (such as height, weight and blood pressure). They can then choose to share this information with other people, including physicians as well as family members.

HealthVault partners with a variety of other health systems, services and devices (such as scales, pedometers and heart rate monitors) to provide additional value. One example is My CVS/pharmacy Prescriptions, which allows users to link prescription information directly to their HealthVault accounts. Meanwhile, those using the Walgreens Premium Arm Blood Pressure Monitor can connect the device to a PC and have the data uploaded directly to HealthVault.

Microsoft HealthVault is governed by its own HealthVault privacy policy explains the level of privacy and security that comes along with a HealthVault account. Because Microsoft is not a health care provider, Microsoft HealthVault is not regulated by the original Health Insurance Portability and Accountability Act of 1996 (HIPAA).

However, the Health Information Technology for Economic and Clinical Health Act (HITECT Act), passed as part of the American Recovery and Reinvestment Act of 2009, updates HIPAA security provisions to include Microsoft HealthVault and other PHR services. These provisions mandate that individuals must be notified by the responsible party if the confidentiality of their personal data is breached.