Five Reasons why You Need to Encrypt Your PHI

2014-06-20 - Cryptography, General, HIPAA, Security

Health Insurance Portability and Accountability Act from 1996 (HIPAA)

The Health Insurance Portability and Accountability Act from 1996 (HIPAA) puts out strict rules about who can handle Protected Health Information (PHI) and what they can do with it. However, when it comes to the storage of that data, the law leaves room for interpretation. For example, 45 CFR 164.308 states that you have to "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level", but leaves it up to you, what reasonable and appropriate is. However, there are a few good reasons, why you always want to encrypt PHI data in your database.

Am I Affected by HIPAA?

The HIPAA rules call a company or service provider that has to abide by it a "covered entity". How do you know if you (or your company) are a covered entity? The HIPAA law does not affect every company, but if you provide some kind of health related services, chances are you are bound by it.

HIPAA PHI Encryption

What pieces of the Protected Health Information (PHI) do I need to encrypt?

Before we talk about the "why", let us quickly recap what "Protected Health Information" or PHI actually is: PHI is any kind of information that is tied to the health or the medical history of a specific person.

The important piece here is that the information needs to be tied to a particular individual. That means on the other hand, if you cannot identify the individual anymore that the information at hand describes, you do not need to apply extra stringent security measures anymore either. In fact, 45 CFR 164.402 states that the disclosure of de-identified PHI is not considered a breach.

Therefore, you want to encrypt those data points that allow the identification of a particular individual. Things like the social security number, a medical record number or even the (cell)phone number come to mind. But, there are other information pieces that you might not think of as identifiable information but they in fact are. For example, the vehicle license plate. Even the age (in years) can be used to identify a person, once you get above 90 years. The HIPAA rules give us a comprehensive list of the fields you need to consider. E.g. check out the section about de-identifying data (45 CFR 164.514)

Five Reasons to Encrypt PHI in Your Database

So, why should you encrypt your PHI?

1) It's the Law

The first reason it very straight forward: In section (a)(2)(iv) of 45 CFR 164.312, the HIPAA rules clearly say that you need to "[i]mplement a mechanism to encrypt and decrypt electronic protected health information". (Note: see clarifying comment by netsec4u below.)

2) The Expense

In the case of a breach of PHI that was directly or indirectly caused by you, you can get fined. The fines reach from $100 to $50000 or more per incident. You can expect that each record in a data breach affecting PHI of several individuals will be considered a separate incident, potentially multiplying the fine by a very large number.

3) Nightmares

You are required to publicly disclose any breach of PHI that was in your possession. You are also required to contact each affected individual directly. What that entails for your business can be best described by these two words: PR Nightmare.

In addition to the bad press and reputational damage, the fines and the cost of notification can quickly go into the millions. The Cost Of A Data Breach gives an overview over recent PHI breaches and the associated costs to the companies.

4) Protection

Encryption does not only protect the data, it also protects you. In a recent California ruling, a company that lost a hard drive with PHI got away without penalties, because the data was encrypted.

5) One More Thing

If that all was not enough yet to convince you that you really need to encrypt that data, I have one more reason for you: Just a few days ago the West Virginia Supreme Court ruled that in the case of a PHI breach an individual does not have to proof any actual damages. That ruling opened the door for a class action lawsuit against a single company by over 3000 individuals that were affected by the breach.

Summary

If your business is dealing with PHI - Protected Health Information - you are responsible under the HIPAA law to do your best to protect that data from unauthorized access. That includes the protection of the data at rest. For that reason alone, it should be obvious that you need to encrypt PHI in your database. In addition however, it can get extremely expensive very quickly, if due diligence is lacking and it comes to a data breach.

If you have PHI in your database that is not encrypted, make it your highest priority today to change that.

Disclaimer: I am not a lawyer, therefore you should not consider any of this legal advice. For that, talk to your own lawyer.

Categories: Cryptography, General, HIPAA, Security
Tags: , , , , , , ,

2 comments
netsec4u
netsec4u

The statement that encryption is the law is not entirely accurate.  Section 164.312 contains specifications that are either "required" or "addressable."  Encryption is addressable.  An organization can chose to not encrypt due to the lack of feasibility.  See http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html for a good description of the difference between required and addressable.

@sqlity
@sqlity moderator

@netsec4u , thanks for pointing that out and providing the link. I admit that I missed that detail. However, I stand by my opinion. As your source points out, "a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so". With the advances in technology, it is going to be very hard to sell to your customers, shareholders or law enforcement that encryption was "unreasonable" to implement. Encryption of data at rest can be implemented without any change to the application layer, so at least that part should be deemed "reasonable" in almost all circumstances. 

You might have a valid exception, if you are dealing with a legacy application on legacy hardware.

Trackbacks

  1. […] is important to encrypt important data like PCI data or PHI in your database. But it is also important to manage your encryption keys correctly. The above […]

  2. […] Granting excessive permissions is problematic for two reasons. About 80% of the attacks on company data are actually executed by employees or ex-employees. Granting too many privileges or not revoking those privileges in time makes it unnecessarily simple for them to execute their wrongdoing. Some of these actions might even be executed inadvertently or without the perception of those actions being illegal. For example, medical records of prominent people are exposed by employees all the time. (That is just one of the reasons why you should encrypt HIPAA-related data.) […]