The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is both a shield for patients against intrusion into private information and an ongoing headache for almost everyone involved in health care. As the law gets closer to its 20th anniversary, some aspects of the legislation have become comparatively routine, while others remain complex and challenging.
For health care organizations, the fundamental challenge is to stay in compliance. At its most fundamental level, that means avoiding data breaches – and adhering to a welter of practices needed to keep not only electronic data but even conversations confidential. Those who aren't able to achieve that goal, find their organization's name displayed on a government “wall of shame” and paying hefty fines. But since there is no exact formula for how to ensure compliance – current requirements are risk based – it's an open-ended challenge. Thus, organizations must balance the fear that no matter what they do it won't be enough against the reality that everything they do to comply costs money.
A widely watched case has perhaps muddied the waters even more. In October 2013, the Second Appellate District Court of California dismissed a case against the University of California, dating back to 2011, in which a laptop with 16,000 patient records was stolen from a physician's home. A plaintiff sued the university under the Confidentiality of Medical Information Act (CMIA), a state statute, and lost. The fact that the data was encrypted, which is often regarded as providing protection to medical entities under HIPAA and other statutes. However, also stolen were file cards that included an encryption key, potentially allowing the thieves to access the data.
Most of the time when laptops go missing they are unencrypted. "What was different about the California case was that the drive was encrypted, but the plaintiff was unable to provide that there was any breach of actual data,” notes IDC analyst Lynne Dunbrack.
However, Dunbrack says the outcome certainly underscores the importance of encryption both in motion and at rest. Dunbrack notes that encryption has been resisted by users because it adds complexity and typically takes more time. Perhaps, she speculates, this decision in California “will lead to more pushback, now that IT can demonstrate that if files are encrypted it can mitigate the impact of one of the most common kinds of data breach, namely lost or stolen laptops.”
HIPAA is a very strange law, says Skip Snow, senior health care analyst at Forrester, because it applies to a single doctor as well as to the world's biggest health insurance company. And it is applied through Byzantine rules. Thus, is an encrypted laptop was stolen from a group practice of 50 physicians, although encryption itself will likely protect the data, they could still be fined if they didn't actually have a policy for using encryption to ensure patient privacy. On the other hand, if you did have a policy that said you would take reasonable measures to protect patient privacy by using encryption, you would be covered. “It isn't so much what the law says as it is individual institutions defining their policies,” he explains.