At first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear to have changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with one notable addition highlighted below:
“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.
Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; “Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.
As part of Stage 2 Meaningful Use, encryption of “data at rest” must be considered as an addressable control. As such, providers need a process by which they evaluate whether the control is “reasonable and appropriate” and would likely contribute to protecting its health information. If the control is deemed “reasonable and appropriate,” then it must be implemented.
However, if the provider decides “encryption of data at rest” is not reasonable and appropriate, then it must 1) document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure if reasonable and appropriate. Despite a little remaining wiggle room, it has become increasingly difficult to justify not encrypting ePHI under the “reasonable and appropriate” caveat.
Turning to the new rules for EHR software certification, Stage 2 also requires the main software application ‘to be able to demonstrate the capacity to encrypt [data on] mobile devices in circumstances where the EHR technology manages the data flow on the mobile device,”
In our view, these provisions stop just short of a mandate. Determining reasonableness is not just about the cost of hardware and software or the complexity of implementation. It is more about whether or not the organization can execute the requirement consistently and effectively.
Given that the majority of significant breaches to date have been the result of lost or stolen devices containing unencrypted data, and the increasing mobility of data itself, it will be difficult to find “equivalent alternative measures.” That said, Redspin can provide a framework for considering the issue within our overall SRA roadmap and expert guidance on how to reasonably and effectively protect patient information.