Don’t show me anything, don’t send me anything, don’t even speak to me. It’s the only way I can think of to avoid the growing liabilities associated with failure to secure personal information.
Recent guidance from federal HIPAA regulators makes information security optional for patients the law was written to protect. Before you wander off, information security laws don’t just apply to doctors and insurance companies. Every business of every kind in possession of any “personal information” belonging to someone else must focus on information security.
The baseline for information security has always been data encryption. That’s true under every state and federal statute and regulation. Washington State’s breach notification statute provides a “safe harbor” for encrypted personal information. What has changed are the definitions and application of various federal and state laws. As expected, these changes have made compliance harder, not easier.
For years, I have worked to convince health care practitioners that HIPAA compliance required data encryption. HIPAA security standards require secure transmission of information as well as storage. That means practitioners shouldn’t be sending personal health information through unencrypted email or storing data on unencrypted devices or computers. Unless it’s a bother.
“[Practitioners] must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.” [emphasis added, OCR Guidance]
In my experience, if you give people the opportunity to hurt themselves, they will choose the hurt if it’s easier than being safe. The observation is particularly true when safety means hard passwords, log in routines, and God forbid – encryption. “Oh bother.”
I now supply an informed consent form for email so health care practitioners can protect themselves from patient requests to ignore security issues. Weirdly, practitioners still need to use and provide secure methods of storing and transmitting patient information. Now however, practitioners must help patients defeat these security procedures upon request.
Compare and contrast:
“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.” [emphasis added, OCR Guidance]
“It is expected that all [practitioners] have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail).” [emphasis added, OCR Guidance]
O.K., but that’s not the hard part.
If you are an ordinary [or extraordinary] business in Washington State, you don’t get the opportunity to give customers a choice to be stupid – ahem, unsecure. Washington’s breach notification statute requires businesses to report unauthorized access to “personal information” – first name or first initial and last name in combination with any of these:
- * Social Security number;
* driver’s license number or identification card number; or
* account number or credit or debit card number, along with the access code or password that permits access to a person’s account.
Businesses that encrypt their data enjoy a “safe harbor” from liability. But there is always irony when looking for a safe harbor.
Under the state law, the National Institute of Standards and Technology encryption standards guiding HIPAA compliance determine the question of business compliance. If the information gets diverted to unauthorized users, the business must notify those affected. If more than 500 people have been affected, the state Attorney General must also be notified. These breaches show up on the Attorney General website.
In case you are wondering, HIPAA does not provide a private right to sue for a breach of data. But the state business law does.
(a) Any consumer injured by a violation of this section may institute a civil action to recover damages.
(b) Any person or business that violates, proposes to violate, or has violated this section may be enjoined.
(c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law. [RCW 19.255.010 (13)]
So why would the federal government change direction and demand that health care practitioners honor patient demands to ignore data security? Overreaction all the way around. Turns out that HIPAA gets used more often as a sword than a shield – “I’d love to help, but it’s a HIPAA violation.”
Folks find it nearly impossible to get their hands on their own information. Throw some forms, online registration, encryption keys and passwords at people and “covered entities” never need to disclose. Hell, no one can use the data when we get done protecting it.
OCR decided to defeat its own security monster by letting patients do what they want with their own information even if it means sending it to a free email account with no security or copying it to a free USB stick they got from that cute next door neighbor. Health care practitioners must meet the patient demand but then yell – “watch out someone might steal your files!” Ordinary businesses can yell; but, it won’t matter.
Don’t talk to me.