In 2009, the Ways and Means committee put forth the Health Information Technology for Economic and Clinical Health Act or HITECH Act. The bill states that Health information technology helps save lives and lower costs. One of the four major goals of the legislation is to “Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care”.

Stage  1 of the program required hospitals and eligible professionals (physicians) to conduct or review a risk analysis and implement security updates as necessary to correct identified security deficiencies.

The proposed Stage 2 rule includes the identical requirement. But it adds that the assessment must include “addressing the encryption/security of data at rest.”

The proposed rule specifically states: “We do not propose to change the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requirements or require any more than would be required under HIPAA. We only emphasize the importance of an eligible professional or hospital including in its security risk analysis an assessment of the reasonableness and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

Recommended Security Changes

  • The proposed rule would not alter the HIPAA Security Rule’s requirements on encryption. Under that rule, encryption is “addressable,” which means it must be implemented if doing so is reasonable and appropriate – which stops short of an outright mandate.
  • Office of the National Coordinator for Health IT, proposes ” that Electronic Health Record [EHR] vendors … by default enable encryption of data on end-user devices if any data is kept on user devices after the session ends”.
  • That Secure Messaging is used when doctors communicate with patients on health care matters.
  • That the system encrypts data at rest when sensitive data is stored within an EHR system.

These rules will be announced this month to the public for comments.  Final decision on the rules will be announced late Summer 2012.