In a recent conversation with Mac McMillan at MGMA11, I got to quiz him on a wide variety of issues from the main security challenges for small practices to the big issues he has been wrestling with as chairman of the HIMSS Privacy and Security Policy Task Force. As we in the healthcare industry have been eagerly awaiting the clarifications expected to come out of the HHS final rule, which will strengthen HIPAA privacy and security safeguards, the issue of data encryption came up as one of the several thorny issues the HIMSS task force has been wading through.
For Stage 1 meaningful use a healthcare organization’s EHR only had to have the ability to encrypt data, but the entity didn’t have to encrypt yet. The Stage 2 proposed rule, however, is recommending organizations to encrypt data in their database, as well as all transmissions in and out of the EHR, says McMillan. “What that means is that covered entities are going to have to turn on that encryption for their backend databases,” says McMillan, “and they’re going to have to make sure they have encryption technologies that enable them to transmit data in and out of that EHR in an encryption form.”
McMillan says that about 20 percent of hospitals now are encrypting data at rest, so Stage 2 will be an uphill battle for the industry at large. And he questions if hospitals, and especially, smaller medical practices will be able to afford the burden of encryption and foresees the huge impact this could have on driving consolidation among small medical practices.
McMillan also told me his committee has been discussing the language in the rule pertaining to the definition of a business associate of covered entities in the context of encryption. He says there are some vendors out there now telling their hospital partners that they don’t consider themselves a business associate because they only host the covered entity’s data, but never look at it. McMillan notes that a literal reading of the proposed rule says “provision of access” determines whether an entity is a business associate or not. Having access to the data, not whether or not the entity looks at it, is the minimum requirement to be considered an associate as the proposed rule stands now.
The debate is now that if the data is encrypted, and the vendor hosting the data does not have the keys to decryption, are they considered a business associate? “I believe they’re not a business associate because [the covered entity] has made the data inaccessible to [the vendor],” McMillan says. “One of the policy issues we’re looking at now is the language clear enough in the rule or does it need to be clarified even more because there are a lot of vendors out there that don’t want to sign business associate agreements and they’re trying to hide behind the fact that they don’t look at the data, and there’s not enough encryption going around to refute that.”
Jared Rhoads, senior research analyst at the Global Institute for Emerging Healthcare Practices at the CSC Corporation discussed encryption in a recent report, “Achieving Comprehensive Health IT Privacy and Security,” and told Healthcare Informatics earlier that in the proposed rule an entity may determine that encryption is not reasonable and appropriate in addressing a particular risk, but if it does, then it must document that and implement equivalent alternative safeguards. However, Rhoads said there isn’t a whole lot that would be justifiable to not require encryption, so organizations should start investing in this now. To begin prioritizing, he recommended organizations assess their resources. Many organizations might not be able to encrypt every server, so he advised starting with the ones that have the highest traffic, or the ones that are furthest on the organization’s periphery, or the ones with the highest risk. “Most of the things like encryption are things that you ought to be doing because it’s the right thing, it’s good for your patients,” said Rhoads. “It may sound daunting but it’s within reach.”