News Feature | February 19, 2015

Should HIPAA Encryption Be Legislated?

Katie Wike

By Katie Wike, contributing writer

Data Breach Cost Of $5.6 Billion Predicted For Healthcare In 2015

Federal officials plan to review whether HIPAA information should be required to be encrypted.

A federal law from the 1990s says insurers aren’t required to encrypt consumer data. This law is now under review after the Anthem breach in which 80 million customers were left vulnerable.

According to Fierce Health IT, The Senate Health, Education, Labor and Pensions committee will be overseeing the matter as a bipartisan review of health information security. “We will consider whether there are ways to strengthen current protections,” said the spokesman for Chairman Lamar Alexander, R-TN.

“We need a whole new look at HIPAA,” said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information. “Any identifying information relevant to a patient ... should be encrypted,” he told the AP.

Encryption has been controversial, according to the AP article, because it adds costs and makes daily operations cumbersome. It’s not foolproof protection either. If someone has the code or steals it, they can access information anyway.

Even Anthem spokeswoman Kristin Binns said encryption would not have prevented the highly publicized recent attack because the hackers gained access with a system administrator's ID and password. “These attackers gained unauthorized access to Anthem’s system and had access to names, birthdates, medical IDs/social security numbers, street addresses, email addresses, and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information were targeted or compromised,” said Anthem President and CEO Joseph R. Swedish in a statement. Anthem does encrypt information which is exported.

“In today's environment, we should expect all health care providers to encrypt their data from end to end,” says Indiana University law professor Nicolas Terry who specializes in health information technology. “HHS should amend the security rule to make encryption mandatory,” he said.