Removing the 'Cryptic' from 'Encryption' - HIPAA and the Meaning of Secure PHI

Removing the 'Cryptic' from 'Encryption' - HIPAA and the Meaning of Secure PHI

September 17, 2013 2:00 pm

(Save to cal)


Brian Balow of Dickinson Wright and April Sage of Online Tech discuss the HIPAA Breach Notification Rule and the implementation of HHS encryption standards to protect PHI. 

Title: Removing the 'Cryptic' from 'Encryption' - HIPAA and the Meaning of Secure PHI
Brian Balow, Attorney with Dickinson Wright and April Sage, Director of Healthcare Vertical and Marketing at Online Tech.
Brian Balow, Attorney, Dickinson Wright and April Sage, Director Healthcare Vertical, Online Tech provide an informative webinar on the implementation of HHS encryption standards.

In this webinar, Brian and April review the HIPAA Breach Notification Rule, and specifically its carve-out for encrypted PHI. While seemingly straightforward, the implementation of the HHS encryption standards raises a host of questions for covered entities and business associates.



View Slides

April: Well, thank you again for joining us for another Tuesday at Two webinar. We’re very pleased to welcome back Brian Balow from Dickinson Wright. For those of you who haven’t met Brian before, he is a partner with Dickinson Wright and specializes in information technology, healthcare law, and intellectual property. We’re very fortunate to have him join us today to help us understand some of the legal implications around encryption, especially as it applies to the obligation to protected health information. So, Brian, welcome back. Thanks so much for being with us again today.

Brian: Thanks, April. April and I, we were talking before started the webinar, and thought it was prudent to at least just get out in the open here that I am an attorney and I’m not a technologist, and therefore if any of you have an expectation … I think there are over 100 of you registered for this. But, if you have an expectation that this presentation is going to be heavy on the technical side, unfortunately you’re going to be disappointed because it really is targeted at the interplay between the encryption regulations and HIPAA, as well as Meaningful Use. So, the presentation is maybe misnamed a little bit because I am going to speak to the encryption issues under Stage 2 of Meaningful Use.

Another comment I’d just like to make at the outset, a general comment, even though I’ve been doing this for a while and I’ve been an attorney for over 25 years, I have not yet seen everything. What that means is I know many of you, because of the roles that you play in your organizations, have probably run across very specific fact situations that involve HIPAA, encryption, Meaningful Use, those kinds of things, and may have questions that are particular to those situations. Well, I’d like to be able to say to you that I’m so smart that I’ll have an answer to every one of them, but I don’t like to lie.

I worked for a judge in my first job out of law school, and the jurors would come into my office after every trial, and there were all sorts of books … That’s how long ago this was … books in my office. Inevitably, one of the jurors would say to the judge, “Does he know everything in those books?” The judge would always reply, “No, but he knows where to find it.” So, if I can be of assistance with questions, particular questions, I will certainly do so. Otherwise, hopefully I’ll be able to at least point you in a direction that may help you to find the answer that you need.

Brian: We are talking about encryption today, but we are going to narrow the focus of that discussion to encryption as it pertains to protected health information. I am going to focus on simply on the PHI aspects. One last sort of general comment, and I found this interesting as well. When I prepare for these, I typically will go back and just do a little digging, historical digging. If you have time on your hands and you’re really bored, you might want to go back and look at some of the legislative history and some of the language around when HIPAA was actually adopted back in 1996.

It’s interesting a little, maybe, disappointing that when you look back, even in 1996, there was a focus on the electronic exchange of health information. They knew that this was the wave of the future, even back then. Fast forward to September of 2013, and we’re still talking about issues that pertain to electronic health records, and how they’re protected, and Meaningful Use to try to incentivize organizations and providers to adopt records. So, we’re coming up on 20 years, and we’re still working on this stuff. So, anyway, with all that background, if you want to go to the next slide, April, that would be great.

Okay. So, the general overview of what I’ll discuss today is I want to talk about sticks and carrots as, again, the impetus for looking at encryption for your organization. So, the first stick, again, is the HIPAA Administrative Simplification Regulation. For those of you who are not aware, that that’s actually the name of the regulation that includes the Security Rule, the Privacy Rule, the Breach Notification Rule, and the Enforcement Rule. They’re all rolled under that regulation. So, clearly, that is one of the sticks that would incent people to look at potentially encrypting protected health information.

The second is CMS and Meaningful Use, Medicare, Medicaid, and Meaningful Use. I look at that as both a carrot and a stick. The carrot being, obviously … Well, I shouldn’t say obviously. But, for the carrot being if you adopt Meaningful Use of electronic health records, there are incentive payments available to eligible professionals, eligible hospitals, critical access hospitals. They’re not insignificant payments, so that carrot is out there, but it does require the … again, the adoption of the EHR and following the various Meaningful Use criteria throughout the three stages of Meaningful Use. As I’m sure more, not all of you, know, HIPAA breaches can result in large fines and certainly in bad publicity. The fines, more often falling under breaches of the Privacy Rule and the Security Rule, and the bad publicity falling under the obligation to provide notice of a breach of PHI.

Achieving Meaningful Use will, as I said, result in payments in the stick in the Meaningful Use arena is if you do not meet the … as of today anyway. They keep moving the dates. But, as of today, if you’ve not achieved Meaningful Use by, I think, 2015, then they … Medicare and Medicaid begin to reduce the reimbursement for services provided. I think it begins at a one percent, all the way up to a maximum five percent reduction in reimbursement. Finally, encrypting PHI can lessen both your HIPAA exposure and assist in achieving Meaningful Use, and we’ll talk about that in detail.

Brian: So, what I’m going to do is I am a frustrated journalist. I was a journalist major for about five semesters in my undergrad education, but I always enjoyed the process of who, what, when, where, why, and how. I continue to apply that to my practice. But, I often reverse the order or shuffle the order of those questions. So, today, I’m going to shuffle them to look at what first, in terms of what are we talking about that requires protection? The second thing will be why, why is the protection important? The third, how … How should it be protected?

Then, finally, when I was thinking about and putting this together, who should encrypt? I have been guilty in the past, and I don’t think I’m alone, but I have been guilty in the past of making maybe broader statements in certain context than really are appropriate. I think it’s sort of an easy conclusion to reach that, “Well, why wouldn’t we encrypt?” There are obvious benefits to encrypting, as long as you do it the way that it’s required under the regulations. But, it is not necessarily a “one size fits all,” and context does matter. So, again, as I was putting this together, I thought I would end up looking at, “Who should encrypt?” So, when we get there, I’ll show you how I thought through that.

I thought I’d do a word about our sponsor, Online Tech. Full disclosure, I do do some legal work for Online Tech and have been affiliated with them for a couple of years now. But, I want to say, for those of you who are new to Online Tech and these webinars and the other resources that they have, they are truly a, in my opinion, a phenomenal organization in terms of what they do on the education side and on developing the kinds of resources that ought to be of use to all of you on this webinar.

So, I wanted to point that out, and as I was doing my research for this webinar, I ran across resources that were already existing on their website, they have done a couple of encryption related webinars already this year, so I’ve given the URLs to those. April, we talked about this before we started the webinar. April thought it would make sense as well because this is not a technology oriented webinar, that she could give links as well to some that they have done previously that are technology related. April, you want to just make a quick comment on that, if you wouldn’t mind?

April: Thanks, Brian. Appreciate the quick shout-out here. Fortunately, for us, we’ve had very good teachers on this, so I just wanted to mention that all of our webinars are recorded, and so if folks just want to go to, you’ll be able to find the previous webinars that discussed some of the technical aspects of encryption at both the software and the hardware level. So, if anyone has any questions, we’ll have our contact info at the end, and I’ll be happy to point you in the right direction. Thanks, Brian.

Brian: Okay. Now that we’ve gotten that completed with the advertising segment, we can go to the next slide. Okay. So, what … What is it that we’re looking at potentially encrypting? Under HIPAA, it is protected health information. The definition is very straightforward. As it says, it’s individually identifiable health information. So, then you have to go into the reg and look at, “Well, what is individually identifiable health information?”

The definition is … and bear with me during this webinar, but because it is a webinar, I’m going to read more than I normally would at a presentation. But, since you can’t see me, I think this is the best way to proceed. So, it’s information that relates to the past, present, or future physical or mental health or condition of an individual; a provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual … and that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

So, that last part of the definition gets to the whole concept of the identification of patient information. I’m not going to talk about that in any detail today, but kind of file it in the back of your mind if you’re not already aware of that, that there is exceptions to compliance with the Administrative Simplification Rule for information that is identified.

Conversely, if you have information that while you might think doesn’t specifically identify an individual, if taken together someone could reasonably figure out who it is by looking at that information, you should treat it as individually identifiable information, and then protected health information in the healthcare arena. There is a lot of overlap with other personally identifiable information centered laws, as you probably know … well, laws, regulations, and industry standards.

You probably know about the State Data Breach Notification Laws, and they tend to use the definition of personally identifiable information. You have the PCI, the Payment Card Industry-Data Security Standard, which is not a law per se, but it is an industry standard, and any credit card issuer needs to comply with that. Then, the Granleese Bliley Act which pertains to financial institutions. These are just three examples. There are others out there. But, the point being that if it’s individually identifiable information in the healthcare industry, it’s likely individually identifiable information in other industries as well.

Brian: Okay. So, that’s “what” we’re talking about potentially encrypting protected health information. So, why? Why … What is it that would drive us even down this road at all? Number one, and these are both HIPAA concepts. Number one is the Enforcement Rule, and the Enforcement Rule sets the liability standards and the penalties for non-compliance with the Privacy Rule and Security Rule. Were we in a live room, at this juncture I would ask if you wanted a further explanation of the Privacy Rule and the Security Rule. I’m expecting that most on this webinar have at least a nodding acquaintance with both of these rules, but the bottom line is this.

The Privacy Rule deals with how PHI may be used. There are certain treatment, payment, things like that for which covered entities and business associates can exchange PHI without permission. There are other uses of PHI that either require an ability for the patient to opt out or object to that use, and there are other instances in which the express written authorization of the patient is required before the PHI is shared. That’s the Privacy Rule. That’s how PHI is shared.

The Security Rule deals with how PHI is kept secure … hence the name. It deals with technical safeguards, physical safeguards, and administrative safeguards. This is the part of HIPAA that really has caused most of the noise over the last nine months, since the final rule came out, because there was a host of business associates out there who suddenly were directly liable under the Security Rule and who probably did not have the administrative, technical, and/or physical safeguards in place, excuse me, that was now required of them. So, the Security Rule deals with how PHI is protected.

The Breach Notification Rule, on the other hand, sets the parameters under which a covered entity must provide notice of an acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule, again, how information can be shared … which the compromises the security or privacy of the protected health information. So, shorthand, that’s called a breach of PHI, but that’s what the Breach Notification Rule deals with. Okay. Next slide.

Brian: The OCR, which is the Office of Civil Rights of the Department of Health and Human Services, which is the enforcement arm under HIPAA, has become much more active over the last few years. HIPAA breaches were sort of a non-existent entity up until about three years ago. With the passage of the HITECH Act under the ARRA Law, suddenly there were some teeth in it. Not only the OCR, but the regulations allow state attorneys general to pursue HIPAA breaches as well.

So, as a consequence, here’s one graph from the OCR website, enforcement results from last year. You can see they have total resolutions of almost 9,500 HIPAA complaints. That’s a lot. I can tell you that I probably get one email a day from an individual believing that they’ve either witnessed or were the victim of a HIPAA violation, and that’s not an underestimate. Some days, I’ll get two or three. I do not represent individuals in those cases, but the point being, this is really top-of-mind for people because a few years ago, I didn’t get any. So, I think it really has become a visible issue out in the marketplace.

I will say, just very quickly, that if you are an individual and you believe that your HIPAA rights have been violated, as of now, there’s really not a private right of action for you to take. In other words, talking to a lawyer won’t necessarily really get you anything, and that for now, my recommendation and how I respond to those inquiries is, “Go to the OCR website, and they have a place where you can file a complaint, and it will be handled in that regard.” Okay. Next slide.

Brian: So, with the Omnibus Final Rule that came out in January, they upped the civil money penalties, again, I think to get everybody’s attention. This chart’s very simple. It talks about the violation type, the potential fine for each violation, and then the cap, each year, for repeat violations of the same kind. So, in other words, if you have a violation of the Privacy Rule and a violation of the Security Rule, those count as separate kinds of violations, and consequently the cap would only … If you were fined a million dollars for each of them, you’d still have a $500,000 balance left for each category for the remainder of the year.

Another change with that, really, was the manner in which they were assessed. It used to be if there was an expectation of harm from an unauthorized exposure, and they have changed that standard to a lower standard. Basically, you now have the burden to prove and to show that the disclosure will not result in someone actually reading and understanding that PHI. So, the threshold for liability has been lowered. The fines have been raised. So, there is clearly a stick out there now. Again, when you add in the state attorney’s general to the OCR, you’ve got a lot more enforcement avenues out there as well. Okay. Next slide.

Brian: So, again, reframing this … We’re talking about why, why would you consider encryption? So, with respect to the concept of encryption under the Security Rule, this is straight from the text, and so what it says … So, again, I want to back up one step. The Security Rule says that each covered entity and business associate has to implement administrative, technical, and physical safeguards to ensure the protection of protected health information. So, within the Security Rule, it speaks to standards. Some standards are required, and some standards are what are called addressable.

So, there are certain standards that say, “You absolutely have to do this.” The other standards say, “Here is something we’re recommending or suggesting that you … actually requiring that you look into. If you look into it and it fits within your overall security for PHI, then you should do this.” Okay. So, the rule says, “Encryption and decryption, it’s an addressable standard.” So, it says, “To implement a mechanism to encrypt and decrypt electronic protected health information.”

Then, what does it mean to be addressable? It says, “Whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.” So, again, context matters. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation and specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.

So, putting all that language aside, again, context matters. But, for purposes of you listening to this right now, you do need to understand that the Security Rule has an addressable standard that speaks to encryption of PHI. So, in my mind, what that means is you need to go into it with the thinking that as you’re looking at it in the context of your overall security, that unless you have a pretty good reason not to encrypt …

For example, if you’re a single physician in a single provider office, and all your records are paper, and you’re not interested in Meaningful Use or Medicare, it doesn’t make sense. So, would HIPAA require you, under that circumstance, to adopt this addressable standard? No. But, in many, many, many cases, I guess what I’m saying is you should look at it as sort of the default provision, and if you can find a legitimate reason not to go down that route, you’re going to have to document it and make sure that your argument is well defended in that documentation. You can show that you did the analysis and how you came to the conclusion that you came to. Okay. Next slide.

Brian: Okay. So, the Breach Notification Rule, the general rule there is a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such a breach. The key word there being “unsecured.” Protected health information, be it electronic … Excuse me … protected health information, becomes secured through the adoption of encryption techniques that are approved under the HIPAA regulations. We’re going to get to that in a minute.

So, the analysis for you folks is, all right, what happens if … What happens if I have unsecured PHI and we have a disclosure that fits within this definition? Well, then I have to go look, and I have to figure out how many individuals are affected. At a minimum, I have to notify the affected individuals. If, heaven forbid, that it’s more than 500, then I got to go public … and on, and on, and on. So, putting aside the potential civil money penalties, which are not insignificant again … But, putting that aside for now, which is still in this equation, if you’re dealing with unsecured PHI and you have a breach like this, you have the added cost, number one, of hiring a lawyer or using internal resources to do the analysis and prepare all of the notices and figure out everyone that you have to track down.

Keeping in mind, as well, that you’re probably going to have to do that with State Data Breach Notification Laws, potentially Federal Trade Commission issues related to your privacy policy. So, that’s the thought process. If I’m not going to encrypt, I need to be aware that that’s the road I may potentially have to go down … as well as the bad publicity that goes along with it. So, again, the thinking is, “Okay. If I encrypt, then I need not worry about this.” Okay. Next slide.

Brian: Okay. So, shifting now from HIPAA to Meaningful Use Stage 2. Again, this is through the Medicare and Medicaid side of things, and the incentive being that if you achieve Meaningful Use, you obtain payments whether you’re an eligible professional, hospital, or a critical access hospital. If you don’t, you start to get payment reductions starting in 2015. So, what do the Meaningful Use regulations say about encryption? They are more focused than HIPAA is on … Well, I should say their focus is really aimed at the end user device encryption.

Most of the breaches of PHI have occurred with respect to laptops, flash drives, hardware. Personal hardware that’s actually mobile and carried around, that’s where the biggest issues continue to arise. That’s where the breaches seem to be continuing to occur. As a result of that, when they put together the Stage 2 requirements, Medicare and Med … Center for Medicare and Medicaid, again, they focused on end user device encryption. So, what it says is in order to achieve Stage 2 Meaningful Use … This is a requirement, and I highlighted the language … electronic health information that is stored must be encrypted in accordance with the standards specified in Sections 170.210. Okay?

I would also say ... Well, I wanted to put out too that they do give you an option. At the beginning it says “or” of this that must be met. So, it’s either one or two. One is the encryption. Two is at the bottom there. EHR technology is electronic health record. Technology is designed to prevent electronic health information from being locally stored on end user devices after use of EHR technology on those devices stops. So, in essence, you have the technology in place such that no PHI remains stored on the local device after its use. Okay. Next slide.

Brian: Okay. So, again, Meaningful Use incentives and penalties. To receive a maximum incentive payment, Medicare eligible professionals must begin participation by 2012. Eligible professionals … That, again, is providers. Individual providers who demonstrate Meaningful Use to certify the EHR can receive up to $44,000 over five continuous years under the Medicare regulations, that should say.

Incentive payments for eligible hospitals … For those of you who work with hospitals, it is pretty complex. So, rather than try to explain it here, I just put the URL on there where you can find some documentation that helps in the calculation. I believe it begins at two million dollars depending on the size of the hospital and the number of admissions and discharges. There’s a whole, again, structure in terms of how they calculate those incentive payments.

Again, beginning in 2015, eligible professionals who do not successfully demonstrate Meaningful Use will have the payment adjustment. From everything that I hear talking to providers, and I try to take some of these things with a grain of salt, but I do know that there has been fee compression, and reimbursements are down. So, one percent may not sound like a lot, but talking to them, certainly five percent is a lot, and even one percent would have a very negative impact on their practices. So, again, that’s why we would look at encryption.

Okay. So, now we shift to “how.” HIPAA speaks to the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached. So, this question comes up quite a bit. In fact, it came up at a conference a couple of months ago. Is it enough to simply say, “We’ve encrypted under HIPAA,” if you have an incident?

The answer is “No.” You not only have to demonstrate that the PHI was encrypted that was accessed, but you’ve got to show that the confidential process or key that might enable decryption has not been breached as well … for obvious reasons. It doesn’t help if the PHI is encrypted, but whoever took the PHI also took the key to decrypt it. So, you have to be able to demonstrate both. Secondly, to avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. Yes, on this line, which comes from HHS … and it’s self-evident, I think. Okay. Next slide.

Brian: Continuing on HIPAA, the encryption process is identifiable … and this is verbatim … from HIPAA, have been tested by the National Institute Standards (NIST), and judged to meet this standard, meeting the encryption standard. You can read that for yourself, but if you have any questions about what standard has to be met in order to meet the encryption requirement under HIPAA, here it is. You can obtain those guides readily from the NIST website.

Obviously, if you’re a lawyer like me, then you get your technologist involved to read through it, identify what needs to be done in order to implement those encryption processes. But, for purposes of us today, we know that they’re telling us … Health and Human Services and the Office of Civil Rights are telling us, through this regulation, that if you apply one of these standards, the first one’s for data at rest; the second is for data in motion. If you apply these standards, then we will deem you to have properly encrypted the PHI. Okay. Next slide.

Brian: All right. I added in some additional Online Tech links, so you can take a look, Encrypting Data to Meet HIPAA Compliance, and related links. Okay, CMS on Meaningful Use, and I thought this was a really good quote here because I know one of the things that entities and individuals struggle with is, “Okay. Well, I’ve got five different entities requiring me to do sort of the same thing. Is there one … If I do one, will it help me comply with the other four?” I cannot help you on this call with if you’re subject to the PCI standards, State Data Breach Notification Standards, FTC standards … and they all sort of say the same thing, but not exactly.

But, at least in this case within the healthcare arena, as between CMS and HHS, CMS is saying with respect to their encryption requirement under Stage 2 of Meaningful Use, “We did not propose to change the HIPAA Security Rule requirements or require any more than is required under HIPAA. We only emphasize the importance of an EP eligible professional or hospital, including a security risk analysis and assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent measure.”

So, we talked about this a few minutes ago when I was talking, really, about the risk assessment under HIPAA and the addressable standard of encrypting data. So, CMS appears to be saying the same thing. What we’re asking really is, and I think what they’re really saying is, “If you are properly performing a HIPAA security risk analysis, which you are required to do if you are a covered entity or a business associate, then whatever conclusion you reach as pertains to encryption, under that regime, should suffice under the Meaningful Use regime.” Okay. What they’ve approved, in terms of encryption, is the next bullet, “Any encryption algorithm identified, again, by NIST as an approved security function in Annex A of the federal information process and standards, publication 140-2.” Okay? Then, as far as a test procedure for encryption under the CMS guidelines, the URL is there at the bottom of the slide.

So, let me stop there for just a second and give my usual speech about OCR and HHS and resources and CMS. If you’re not taking advantage of those websites, I again strongly encourage you to do so. If you’ve got a couple hours … If you’ve not been on there and you’ve got a couple hours one morning or one afternoon, just go into them and navigate through them because I will tell you that they have done a lot of work and gone to a lot of effort, and I’m not here to preach for the government, but they have put in a lot of effort, I will say, to put resources and information on their websites to help the healthcare industry to understand, number one, and then secondly comply with what is now required under HIPAA, as well as what’s required with respect to the Meaningful Use regulations.Okay. So, as I said, I wanted to just wrap up by talking about who, who should encrypt protected health information? So, the “what” is protected health information. The “why,” we’ve gone through. The “how,” I can give you some direction on the “how,” but again I’m not a technologist, but I can point you to what has been approved by HHS and CMS in terms of standards that you can work towards. So, the last question then is who … You’re all sitting on the webinar thinking, “Well, is this something I need to do if I’ve not already done it?” My first comment is encryption is just one of many tools and is not required in all environments.

I’ll go back to my sort of silly example about … I’ll use the upper peninsula of Michigan. The doctor has been in private practice for 50 years, and he only takes cash, and he’s got all paper records. Well, he’s not going to encrypt. Even though it’s an addressable standard under HIPAA and even though in order to receive incentive payments from Medicare, you likely need to do so, it doesn’t fit within … I should say “his or her.” It doesn’t fit within his or her practice. So, in that case, there’s a wild example of where someone who would not need to encrypt.

But, if you are an eligible professional, an eligible hospital or critical access hospital, the likelihood is that encryption makes sense to achieve Meaningful Use. The way that I read the regulations is it’s pretty much if you want to meet Stage 2, you’re going to encrypt. It would probably be a rare case where you could get out from under that under Stage 2. Secondly, if you are not one of the above. If you don’t take Medicare or Medicaid and you’re not in that system, but you are a covered entity or a business associate, then you shift your risk assessment, which is again required under the Security Rule, and that should guide your decision on whether to encrypt.

You are still subject to HIPAA as a covered entity or business associate. You don’t care about Meaningful Use. You still need to do that Security Rule risk assessment. That will guide your decision on whether to encrypt. Remembering, again, it’s an addressable standard and it’s almost like you got approved why you shouldn’t encrypt; why your environment, your technical safeguards, physical safeguards, and administrative safeguards … why they are sufficient, in and of themselves, such that the further steps of encryption of PHI might not be required. Again, you would need to document your analysis as well as your conclusion. Next slide.

Brian: Breach Notification Rule alone, let’s assume that you are that entity, that covered entity. You did the risk assessment under the Security Rule, and you kind of came out saying, “You know what? Given the way that we do things and the other safeguards we have in place, we think we can make a case not to encrypt.” You might look at the Breach Notification Rule and say, “You know what? This alone might be enough to drive a decision to encrypt,” because of the potentially negative publicity if reporting is required. There should be a “D” on the require. I apologize for that. But, that might be enough, and it’s sort of a separate analysis, in my opinion. So, that’s another reason why you might consider encrypting.

My last point is sort of the first point, I think, I made at the outset of this webinar. Like most regulatory and legal considerations, one size does not fit all; context matters. You have to know your own circumstances. You have to apply your facts to the regulations and make your own determinations as to … If, again, if you look more deeply into some of the materials on the … I think it’s on the HH or the OCR website. In terms of that addressable standard for encryption, if you look into that, they acknowledge there’s a laundry list of factors that you might look at while you’re doing that analysis. Cost being one of them. The nature of your existing environment, how you handle PHI; how you transmit PHI … so on and so forth.

Actually, I think this slide is in there by accident, so you can just move through that. The disclaimer, which we always put in our presentations, it is informational only. It’s not legal or professional advice. Getting aside, as I said at the outset, I’m sure you each have fact patterns and issues that are pertinent to your own lives and practices. But, what we talked about here today, talked about here today, what I talked about here today is just general informational. Some of it’s my own opinion. But, I hope it was of some value and use to all of you. I appreciate you bearing with me for the last about 45 minutes. The last slide has my contact information on it.

April: Just real quick, I wanted to let folks know about some upcoming events. If you’re in the Ann Arbor area, please reach out to us if you’re interested in attending our VMware Bootcamp. For those of you who are going to be in Boston next week at the HIMSS Privacy and Security Forum, we’d love to connect with you and get your feedback on encryption and other areas you may be concerned about. For those of you in the Michigan area, we’ll see you at Detroit SecureWorld in October.

I’m going to move on to Brian’s contact info. Brian, we’ve had some questions that have popped up. The first one is, “Is it a risk if encrypted PHI data references unencrypted care provider data, such as the care provider’s address?”

Brian: Say that again.

April: Yes. “Is it a risk if encrypted PHI data references unencrypted care provider data, such as the care provider’s address?”

Brian: I would not think so, and I’m going to qualify that by saying remember what I said earlier on about individually identifiable information. So, I’m making the assumption that there are no other data elements in the provider’s ... in the care provider’s information that would direct me to the patient whose information is encrypted. I can give the crazy example of if you had a physician who only had one patient, then it would be a problem. But, I can’t imagine that scenario except for maybe Michael Jackson.

April: Alright.

Thanks for that. Another question is, “Given the high OCR penalty ceilings, do you see evidence that covered entities are merely increasing their liability insurance to address the security obligation deficiency as a cost of doing business?”

Brian: Well, I think they’re going to have issues with that with the insurance community. I know enough about the insurance angle to be dangerous, but I would say this. Any underwriter, as most of you know, does due diligence before they issue a policy. I expect that the sophisticated underwriters in this area, before they offer a policy at a reasonable premium, are going to want to know that their insureds are compliant with HIPAA. Alright? They’re not just going to issue a policy to anybody without doing any due diligence. So, I don’t know if that’s an effective strategy or not.

I will say that in the business associate covered entity environment, covered entities certainly are requiring their business associates to obtain insurance. There’s no doubt about that. Which, in a way, is maybe a good thing in the overall scheme of things, putting the cost aside, because it really is sort of forcing the hands now, of everyone who’s involved in the handling of PHI, to kind of get their ducks in a row.

April: That makes sense. We’ve got a potential conduit question here. “How does VoIP or telephone information relate to HIPAA? Does a VoIP service provider need to encrypt voice communications?”

Brian: Okay. I was lucky enough to see that before we got on the webinar, and I think I have the answer to that … and here it is. This is actually from the definitions under HIPAA, under Section 160. The definition is electronic media, all right? Electronic media, and I’m not going to read you the whole definition, but I am going to read the exclusion from the definition of electronic media. The exclusion says, “Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.” Okay?

So, if I am transmitting by my voice, that information did not exist in electronic form immediately before the transmission. So, if it’s not electronic media, then the definition of protected health information speaks to … and I’m reading again from the definition. It means individually identifiable health information that is transmitted by electronic media, maintained in electronic media. Okay?

April: Interesting.

Brian: So, I think the answer is, “No.” But, I don’t want to say for sure because I’ve not done any more investigation than what I just read to you. But, we should all be concerned that devices, like copiers, copy machines, potentially VoIP systems … I think you really have to look at the nature of the system. We have a VoIP system now, on our email, that many of you probably have that makes a very poor attempt to translate voicemail messages into words in my email.

I would certainly expect something like that, because it has the ability to store PHI electronically, that if you are going to encrypt, you would want to be sure that that is encrypted … as it resides on my device. But, if you’re merely talking about using a VoIP phone, as opposed to a regular old telephone, for a doctor to pick up messages from a messaging service where they’re talking live across that VoIP, I read this definition as excluding that from requiring encryption.

April: Well, Brian, thanks for doing your homework on that one. That’s awesome that you came prepared for that one in advance. Anyone else who has a last question here? We’ve got a couple more minutes. Or, if you think of questions for Brian after the webinar, please reach out to Brian at the contact info you see now. We will send out a link to this recording, within the next couple days, to all of you. In the meantime, I hope everyone has a great week. Brian, thanks again so much for sharing your expertise with us once again.

Brian: Thank you. I appreciate it. Have a good day.

April: Have a great day, everyone. Bye.

Brian BalowBrian Balow, Dickinson Wright Law Firm

Brian Balow is a member of the law firm Dickinson Wright PLLC, where he concentrates his practice in the areas of information technology, healthcare law, and intellectual property. Brian has worked with Fortune 100 clients over the last fifteen years on Information Technology-related matters, including the drafting and negotiation of agreements, formulation and implementation of policies and procedures for the management of IT (including outsourcing-related issues), counseling and advising on privacy and data security issues, and assisting clients in favorably resolving disputes with IT vendors (including disputes with the BSA and SIIA).

More recently, Brian has spoken and written extensively on healthcare IT and telemedicine issues (including HIPAA/HITECH issues). In 2012, Brian presented on social media in healthcare issues at HIMSS12 in Las Vegas and to the National Council of State Boards of Nursing in Idaho, on regulation of mHealth technology at the SoCal HIMSS Health IT Innovation Summit in Yorba Linda, California, and on BYOD issues at the HIMSS mHealth Summit in Washington, DC.  In December of 2011, Brian contributed the chapter entitled “Allocation and Mitigation of Liability” to the ABA Health Law Section’s “E-Health, Privacy, and Security Law” treatise.

Brian is a 1988 cum laude graduate of the University of Georgia School of Law, where he was twice a scholarship recipient and was Managing Editor of the Georgia Journal of International and Comparative Law. Following graduation, Brian served as a judicial law clerk to the Hon. James Harvey in the United States District Court, Eastern District of Michigan.


April Sage, CPHIMS, Director Healthcare Vertical, Online Tech 
April Sage has been involved in the IT industry for over two decades, initially founding a technology vocational program. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems.

Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director Healthcare Vertical of Online Tech.



Webinars    |    Online

Get started now. Exceptional service awaits.