As my blog post of September 17, 2012, noted, the Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”), entered into a settlement agreement with the Department of Health and Human Services (“DHHS”) to resolve a breach of unsecured electronic health information (“ePHI”) that it had reported to DHHS. This penalty resulted from their report to DHHS of the loss of an unencrypted laptop. The loss of one unencrypted laptop cost MEEI $1.5 million! The Office for Civil Rights (“OCR”) of DHHS investigated the breach and found that MEEI had not fully evaluated the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, had not implemented appropriate security measures to address such potential risks, had not documented the chosen security measures and the rationale for adopting those measures, and had not maintained on an ongoing basis reasonable and appropriate security measures. Note that, if MEEI had encrypted the data on the laptop, they would not have had to report it to DHHS and, thus, would not have been investigated or had to enter into a settlement agreement.

The HITECH Act did not make encryption a required implementation specification. It remains addressable. In other words, covered entities and business associates must determine whether encryption is reasonable and appropriate in their particular environment (read in your situation) with regard to its likely contribution to protecting ePHI. If it is reasonable and appropriate, then it becomes required. If not, consider two other approaches: implement an equivalent alternate measure (such as password protection) or do nothing, because it is not reasonable and appropriate to encrypt or adopt an equivalent alternate measure. In the latter two approaches, however, you must document why it is not reasonable and appropriate to encrypt and how your other approach is sufficient to protect the data. Parenthetically, it will seldom, if ever, be sufficient to not at least adopt an equivalent alternate measure for a laptop or portable media containing ePHI because of the requirement to report unsecured ePHI and the huge penalties that may result.

Consequently, I have revised my previous portable computer policy to emphasize encryption and proper documentation of the addressable encryption implementation specification. Premium Members can now download the updated policy and adapt it for their situation.