HIPAA Breach Notification Rule
We probably should have titled this “Breach Notification Rule and Encryption.” Why, you ask? Because if HIPAA Breach Notification Rule were a question, then encryption would be its corresponding answer.
What is the HIPAA Breach Notification Rule? From the U.S. Department of Health and Human Services (HHS) Website:
“The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.”
That’s official. Notifications must go out to victims, the U.S. Department of Health and Human Services, and (in some cases) the media (we wonder which news outlet usually gets the notice first). But again, this was all official. Unofficially, the Breach Notification Rule really encourages the practice of encryption. See for yourself:
Unsecured Protected Health Information and Guidance
Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information.
Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.
This guidance was first issued in April 2009 with a request for public comment. The guidance was reissued after consideration of public comment received and specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
Additionally, the guidance also applies to unsecured personal health records and identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance, are relieved from providing notifications following the breach of such information.
Well, isn’t that nice! Keep reading.
How Do You Define Encryption In Relation to the HIPAA Breach Notification Rule?
The better question is, “How do THEY define encryption?” We will explain that first, and then we will explain how WE define encryption (or the shortfalls of it). We hate to be unoriginal, but let’s let THEM explain how they define encryption-
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals:
Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:
- Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
- Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.1
- Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.
- The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
- Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
- Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved.”
So that’s good news if you are the leading seller of encryption algorithms, or if you destroy/dispose of Personal Health Information (PHI).
If you’re a medical practice, it’s not bad news either. You can get out of breach notification if you meet the requirements outlined in the above guidance. What’s a Breach Notification Rule without a little guidance? But when accompanied by a guidance, it’s almost a loophole.
Isn’t a loophole good news? Not when you really think about the fact that a loophole is a two-way street to a dead end. Sometimes, it’s the crossroads where both roads lead to different cliffs. Or to the dead-end side of a maze.
While we are willing to pretend that a loophole is a good thing, not reporting a breach is always bad news if it’s your PHI (pronounced F-I). Why? Because it’s a breach of your privacy, and that breach is kept private. From you. But your information wasn’t kept private from them.
That’s a sore subject for some, so let’s circle back to loopholes… since encryption, as defined above, creates its own loophole. And this one is called, “all your encryption is for nothing if you don’t have keystroke encryption.”
And we assure you – almost no one does. How do we know that? Well, we know the patent holder of keystroke encryption technology!
So here’s our definition of encryption: “it doesn’t work, because of keylogger malware.” (Unless you have keystroke encryption, of course).
The way encryption works is that it takes your data and transforms it into a code that only you should be able to decipher. Which is perfect, in a perfect world. Our current world is more like a perfect storm.
And to get your data into the system that will code it and satisfy the guidance, you must type it. And when you type keys, keylogger malware takes note of every key you type. And then it reads all your data, right BEFORE it’s encryped. It still gets encrypted, just AFTER it gets stolen.
Sound complicated? It’s really not…encryption is pretty ineffective, except in satisfying the guidance of the Breach Notification Rule. And somewhere, it probably makes someone feel warm and fuzzy. It just doesn’t really do much to prevent an actual breach of PHI. It only prevents the requirement of notification of the breach.
Tricky, we agree. Especially when that loophole becomes a double-edged sword. What do we mean? Well, do you see what we did? We bolded and italicized the real loophole…the one that nullifies the alleged loophole. In case you missed it above, here it is again- from the first guidance above:
“Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.“
Look at this again… Here is the key to encryption:
“…in which there is a low probability of assigning meaning without use of a confidential process or key…”
Well. When data is stolen by keylogger malware catching it in the pre-encryption part of the encryption process (which happens literally all of the time), everyone’s loophole out of the Breach Notification Rule takes on a twist. And this one, it’s a turn for the worse.
It puts a fork in the road, and now we are at a crossroads. And this is shaky ground. Is that quicksand? Either way, the ground just may open up and have some of us for lunch.
Because now there is a very HIGH PROBABILITY of assigning meaning WITHOUT use of a confidential process or key. We guess you could see how that holds up in court, but we don’t suggest it. So what do we suggest? Always notify your victims when their PHI is breached, it’s just the right thing to do.
But that’s only if you made the mistake of not protecting their data with keystroke encryption- AKA, encryption. Because regular encryption is just an impostor of actual encryption. If you had used keystroke encryption, then you wouldn’t have victims to notify, or loopholes to steer away from.
If you now feel left out of the guidance, just remember it’s always better to do the next right thing than it is to fit in with bad company. “When the mob and the press and the whole world tell you to move, your job is to plant yourself like a tree by the river of truth, and tell the whole world ‘No, you move.’” -Captain America.
What an all-around great guy. If he was responsible for patients’ PHI, he’d definitely protect it!