September 2014
The Breach Notification Rule and Encryption
Unofficial reports of breaches of privacy of private healthcare,
financial, and business information have reached almost a billion
records in the past 10 years (Privacy Rights Clearinghouse, 2014). One
response to these breaches in the healthcare arena has been the addition
of the Breach Notification Rule (BNR; DHHS, 2013; HITECH Act, 2009) as a
component of HIPAA (2003, 2013). The BNR is structured in such a way as
to strongly encourage healthcare professionals to use encryption.
Though these regulations do not require such use, it exempts protected
healthcare information that is encrypted, at a sufficient level, from
its requirements for notification of breaches. Put another way, if
professionals adequately encrypt their protected health information on
digital devices, and those devices get lost, stolen, or hacked,
professionals are not required under the BNR to notify clients or report
to the Department of Health and Human Services. The reason is that
encryption, when used correctly, can offer a fairly high level of
protection for protected health information.
This is one of the
main reasons that The Trust Risk Management Team has been recommending
the use of encryption over the past few years. Truecrypt is one of the
programs we have suggested for encrypting hard drives and other computer
devices (such as external drives, and flash, thumb, and key drives).
Recently, however, Truecrypt's website (2014) announced that its
security may have been compromised, and the program is no longer being
supported. As a result, we are no longer recommending its use. Although
there is some disagreement about how quickly users should transition
away from Truecrypt, we do recommend that you begin that process as soon
as it is feasible to do so. Also, as you will see below, we have some
suggestions for professionals who previously used Truecrypt, or who are
seeking to begin using encryption software for the first time.
Defining encryption
Before
we make those recommendations, though, a brief explanation of
encryption is useful. Encryption is the 'scrambling' or camouflaging of
information—such as progress notes or addresses—by changing it into a
form that cannot be understood by others. In other words, encryption
translates meaningful information into a hidden form or code. Only
people who have a key—usually string of alphanumeric symbols that permit
the coded information to be translated back into meaningful form—can
read the document (Taube 2013, p. 88). It has been used for thousands of
years to protect trade, military, and other secrets (Schneier, 1996).
Only recently has it become more publicly available, and in a form that
is significantly easier to use. It offers a much higher level of
protection than passwords. Though passwords can limit access to
information by unsophisticated users, hackers can easily get around
those passwords and access the intact underlying information.
Encryption, however, makes the underlying information impossible to
comprehend even if the password is bypassed. Though it is not a perfect
solution1, it is an increasingly widely accepted method for the protection of digital information.
The
standard for encryption of protected health information has been set by
HIPAA's BNR (128 bit encryption is the minimum). Thus, when
professionals are seeking to employ encryption, they should look for
assurances that this standard has been met.
Steps in selecting encryption software
The first step is to consider which devices you are using for
professional purposes. Do you have protected health information on your
computer at the office? On your smartphone? A computer or tablet at your
home office? Please note that even portable devices that only have
client names or contact information are subject to the HIPAA Privacy and
Security rules and breach notification rules in the same way as is more
detailed information on computers or tablets. Once you determine which
devices need protection, you are then in a position to explore the range
of programs that are available for professionals and consumers. Simple
Internet searches will turn up dozens-if not hundreds-of those programs.
A more efficient way to determine which programs are appropriate is to
consult online sites that review encryption software for a variety of
different devices. Most of these review sites include opinions about two
aspects of the encryption software: (a) the level of privacy protection
the programs provide, and (b) the ease of implementation and use of a
given program. The following list has sites that provide information
about encryption for different kinds of devices, followed by review
sites. We have categorized these sites according to the type of device
or digital activity in which you might engage.
- Basic guides to computer and smartphone/mobile device encryption
- Generally:
- Computers
- Android smartphones
- Smartphones/mobile devices
- E-mail
- Sites that review encryption software
- Computers
- Smartphones/mobile devices
- E-mail
Summary
We are in a time of tremendous change in the development and handling
of protected health information. The fast-paced evolution of digital
technology and emerging problems in the security of software require
professionals to keep abreast of changes related to risks to privacy.
References
DHHS Modifications to the HIPAA Privacy, Security, Enforcement, and
Breach Notification Rules Under the Health Information Technology for
Economic and Clinical Health Act and the Genetic Information
Nondiscrimination Act; Other Modifications to the HIPAA. 45 C.F.R. pts.
160 and 164 (2013).
Health Information Technology for Economic
and Clinical Health (HITECH) Act of 2009, Pub. L. No. 111-5, § 13001,
123 Stat. 226 (2009).
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (2003, 2013).
Privacy Rights Clearinghouse (n.d.) Chronology of data breaches:
Security breaches 2005 – present. Retrieved from
https://www.privacyrights.org/data-breach
Schneier, B. (1996). Applied Cryptography, 2 Ed. NY: Wiley.
Taube, D. O. (2013). Portable digital devices: Meeting challenges to
psychotherapeutic privacy. Ethics and Behavior. 23, 81-97.
Truecrypt. (2014, May 20). WARNING: Using TrueCrypt is not secure as it
may contain unfixed security issues. Retrieved from
http://truecrypt.sourceforge.net/
1As
is now known, for example, The National Security Agency in the United
States may well have access to information that has been encrypted with
most publicly available encryption programs (The Guardian, 2013).
Psychologists and other mental health professionals, however, are not
required to use encryption that is capable of blocking access by such
agencies.