The Breach Notification Rule and Encryption
Unofficial reports of breaches of private healthcare, financial, and business information have reached over 11.5 billion records in the past 14 years (Privacy Rights Clearinghouse, 2019). One response to these breaches in the healthcare arena has been the addition of the Breach Notification Rule (BNR; DHHS, 2013; HITECH Act, 2009) as a component of HIPAA (2003, 2013). The BNR is structured in such a way as to strongly encourage healthcare professionals to use encryption. Though these regulations do not require such use, it exempts protected healthcare information that is encrypted, at a sufficient level, from its requirements for notification of breaches. Put another way, if professionals adequately encrypt their protected health information on digital devices, and those devices get lost, stolen, or hacked, professionals are not required under the BNR to notify clients or report to the U.S. Department of Health and Human Services. The reason is that encryption, when used correctly, can offer a fairly high level of protection for protected health information.
This is one of the main reasons that The Trust Risk Management Team had recommended the use of encryption over the past few years. In the past, we suggested using Truecrypt for encrypting hard drives and other computer devices (such as external drives, and flash, thumb, and key drives). Truecrypt’s website (2014), however, announced that its security may have been compromised, and the program is no longer being supported. As a result, we no longer recommend its use. Although there is some disagreement about how quickly users should transition away from Truecrypt, we recommend that Truecrypt users transition as soon as it is feasible to do so. As you will see below, we have some suggestions for professionals who previously used Truecrypt, or who are seeking to begin using encryption software for the first time.
Before we make those recommendations, though, a brief explanation of encryption is useful. Encryption is the ‘scrambling’ or camouflaging of information—such as progress notes or names and diagnoses—by changing it into a form that cannot be understood by others. In other words, encryption translates meaningful information into a hidden form or code. Only people who have a key—usually a string of alphanumeric symbols that permit the coded information to be translated back into meaningful form—can read the document (Taube 2013). It has been used for thousands of years to protect trade, military, and other secrets (Schneier, 1996). Only recently has it become more publicly available, and in a form that is significantly easier to use. It offers a much higher level of protection than passwords.
Though passwords can limit access to information by unsophisticated users, hackers can easily get around those passwords and gain access to the information in a device. Encryption, however, makes the information almost impossible to comprehend even if the password is bypassed. Though it is not a perfect solution1, it is an increasingly widely accepted method for the protection of digital information.
The standard for encryption of protected health information has been set by HIPAA’s BNR (128 bit encryption is the minimum). Thus, when professionals are seeking to employ encryption, they should look for assurances that this standard has been met.
Steps in selecting encryption software
The first step is to consider which devices you are using for professional purposes. Do you have protected health information on your computer at the office? A laptop or tablet? On your smartphone? On a home device? Please note that even portable devices that only have client names or contact information are subject to the HIPAA Privacy, Security and Breach Notification rules in the same way as is more detailed information on computers or tablets. Once you determine which devices need protection, you are then in a position to explore the range of programs and applications that are available for professionals and consumers. Simple internet searches will turn up dozens-if not hundreds- of those programs. A more efficient way to determine which programs are appropriate is to consult online sites that review encryption software for a variety of different devices. Most of these review sites include opinions about three aspects of the encryption software: (a) the level of privacy protection the programs provide, (b) the ease of implementation and use of a given program, and (c) costs. The following list has sites that provide information about encryption for different kinds of devices, followed by review sites. We have categorized these sites according to the type of device or digital activity in which you might engage.
- Basic guides to computer and smartphone/mobile device encryption
- Smartphones/mobile devices
- Sites that review encryption software
- Smartphones/mobile devices
We are in a time of tremendous change in the development and handling of protected health information. The fast-paced evolution of digital technology and emerging problems in the security of software require professionals to keep abreast of changes related to risks to privacy.
DHHS Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA. 45 C.F.R. pts. 160 and 164 (2013).
Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Pub. L. No. 111-5, § 13001, 123 Stat. 226 (2009).
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (2003, 2013).
Privacy Rights Clearinghouse (n.d.) Chronology of data breaches: Security breaches 2005 – present. Retrieved from https://www.privacyrights.org/data-breach
Schneier, B. (1996). Applied Cryptography, 2 Ed. NY: Wiley.
Taube, D. O. (2013). Portable digital devices: Meeting challenges to psychotherapeutic privacy. Ethics and Behavior. 23, 81-97.
Truecrypt. (2014, May 20). WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. Retrieved from http://truecrypt.sourceforge.net/
1As is now known, for example, The National Security Agency in the United States may well have access to information that has been encrypted with most publicly available encryption programs (The Guardian, 2013). Psychologists and other mental health professionals, however, are not required to use encryption that is capable of blocking access by such agencies.