Health Information Management

Workgroup: Mandate encryption for provider information exchanges

HIM-HIPAA Insider, May 31, 2010

Encryption should be mandatory for one-on-one exchanges between providers regarding treatments, a privacy/security workgroup for the Office of the National Coordinator (ONC) for Health Information Technology (HIT) recommended May 19.

During its meeting, a workgroup from the monthly HIT Policy Committee suggested that those exchanges include:

  • Encryption (no ability for facilitator to access content)
    • Encryption ideally should be required when there is potential for transmitted data to be exposed (mandated through meaningful use/certification criteria or HIPAA Security Rule modification)
  • Limits on identifiable (or potentially identifiable) information in the message
  • Identification and authentication

“When information is exposed in transmission, it ought to be encrypted,” Deven McGraw of the Center for Democracy and Technology and a privacy/security workgroup member said in the meeting. “I think we need to be specific where we can.”

The Department of Health and Human Services’ (HHS) interim final rule on breach notification creates a “safe harbor” for unsecured protected health information (PHI) that is encrypted by certain standards. Covered entities and business associates (BAs) do not need to notify individuals about breaches involving such encrypted PHI.

Although the HIPAA laws include a “strong bias” of encryption, it is not mandatory, McGraw said.

“HIPAA, love it or hate it, it still didn’t envision the infrastructure we have created today, and we need to build on what we have,” McGraw said.

Read the full story on HIPAA Update.

Most Popular