Given the increasing numbers of health data breaches, including this week’s announcement from Anthem (potentially exposing 80m records, mine included) a brief review on the subject may be appropriate.
At the federal level both the Security Rule and the Breach Notification Rule are in play. In large part the Security Rule requires covered entities and their business associates to base their security precautions on risk assessment. Required precautions include administrative, physical, and technical safeguards. Many of these are required, for example unique user identities for access and tracking. Some precautions, however, are only “addressable.”
This latter is the case with data encryption, defined in the Security Rule as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” In practical terms data may need to be encrypted end-to-end (during transmittal) or while stored (at rest). Being only ‘addressable,’ the question whether to encrypt stored data depends on the data custodian’s assessment whether that technology “is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information.” If the risk assessment goes against encryption that decision must be documented and a reasonable and appropriate alternative safeguard implemented.
We do not yet know details of the Anthem breach, However, we do know that in 2013 Anthem (WellPoint) settled a prior Security Rule case (involving the exposure of over 600,000 records) for $1.7m. More saliently, in April 2014, amid growing concerns over cyberattacks on US business and the realization that healthcare security was lagging, the FBI issued a Private Industry Notification to the healthcare industry warning of threats and specifically noting “The biggest vulnerability was the perception of IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.”
Given such threats it does seem difficult to understand how a healthcare institution could address the need for encryption and yet determine it was not called for. As I have argued elsewhere, if healthcare entities fail to encrypt given the current environment (and the risk of extremely serious HIPAA sanctions if the assessment is flawed or poorly documented) maybe the Security Rule should be amended to require encryption.
Not surprisingly the HIPAA Breach Notification Rule also is relevant. Anthem believes “there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” However, the admitted “unauthorized access to …names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data” likely is sufficient to fall within the rule’s definition of ‘breach.’
Introduced by the HIPAA Omnibus Rule the decision whether there has been a breach also is subject to a risk assessment. However, the assignment of the burden of proof to the data custodian and the ‘compromised’ considerations will lead to most breaches being notified. There is a ‘safe harbor’ for secured data, but only for those who have employed NIST-quality encryption.
Finally, State law also has a voice with regard to data breaches. Most states have general breach notification rules and while some exclude data types subject to HIPAA many do not. Meanwhile, of course, the class action lawyers are already circling above Anthem, a topic I have addressed here previously.
Healthcare IT has long lagged behind other industries (not that those are immune from data breaches). Will this latest cyber attack finally provide the wake-up call?