As I have continued to digest the Breach Notification regulation, the revised security guidance came up again. The security guidance makes it clear that for electronic PHI to be secured, the encryption key and encryption tool need to be kept separate from the encrypted information. Keeping the encryption key separate does not strike me as that big of a concern. The encryption key is usually a password that you type into the program to unlock the data. Keeping the encryption key on your computer is just like putting a post it note with your username and password on your computer. (Or leaving the keys to your house in the front door.) It makes your security efforts worthless.
Keeping the encryption tool separate seems like a bigger issue, especially in home care where the use of laptops is more prevalent. It appears that CMS's Office of Civil Rights considers the term tool to mean the software that was used to encrypt the data. (Which is how I would read that term.) This means that the encryption software must be kept separate from the data on which it was used in order for the PHI to be considered secured. Any system in which the encryption tool is on the computer, does not meet this standard. This raises a number of practical concerns for home health and hospice providers who use laptops in the field.
In a number of previous seminars, I have discussed the idea of encrypting laptops as a way to secure the information on them. I have even given examples of software, such as Filevault on the Macintosh, that is built into the operating system and will encrypt files or the entire hard drive. If you used such a built-in software tool on the laptop to encrypt the information on it, CMS would not consider that to be secured for purposes of the breach notification rule. If your point of care software has a built in encryption feature, this would also be considered not secure by this standard.
I will confess that I do not know the specifics of how most point of care software deals with encryption, if at all, but for HIPAA purposes, you will need to run an encryption program from somewhere other than the hard drive of the laptop to avoid the breach notification issue.
This will add several steps to the encryption process and make it less operator friendly. Think about it, the aide or nurse will need to put in a CD or flash drive, open the program, run it, then close the program and remove the disk or drive. This disk or drive would then be placed back in the computer bag the aide is using. Which raises another question - is keeping the encryption tool in the same bag as the computer containing the encrypted files storing them "on a device or at a location separate from the data". It seems there is a strong possibility that the answer to this question is no.
This may mean that for most home health providers, encryption as a way to avoid the breach notification requirement is not really an option. This is an interesting development which will hopefully be clarified as part of the comment period. (Although CMS stated that any updates to the security guidance would not be published until next April.) Simply going forward with the notification procedures may not be that difficult, but it would be nice if home health at least had the option.
Comments