Encryption as a Silver Bullet for HIPAA Security and Privacy
I recently traveled to Dallas to give a lunch talk to a group of Health Underwriters about recent changes in HIPAA surrounding Security and Privacy. A lot of times when we in the security industry go talk to a group about new regulations we try to find the scary parts and try to play them up. The list of regulatory policies that is familiar to anyone who has chased regulatory compliance gold includes: SOX, GLBA, PCI and even FISMA. While each of these policies has their own scary part, they each have some challenges. HIPAA however scares me and is now in a league by itself.
HIPAA was profoundly impacted by the implementation of the American Recovery and Reinvestment Act of 2009 (ARRA). Prior to ARRA, HIPAA was a regulation that was a good policy at best and often completely ignored without regard for penalties. HIPAA is now a demanding government regime waiting to take a hunk out of the hide of a large portion of our economy.
As we look at some of the more recent regulatory compliance policies, HIPAA now reminds me of what PCI was like five years ago. While PCI has always been very specific and HIPAA somewhat vague with what is exactly required, it’s useful to compare the enforcement parts of these compliance policies. A few years in, the PCI regime began to crack down in order to scare the governed into compliance. We all remember the TJX breech which was financially painful for TJ Maxx, but also was that one seminal moment in the credit card world that everyone emotionally remembers and refers to as that which must not be repeated.
HIPAA is following these trends, most recently with the RiteAide $1M fine and the first doctor to go to jail on a HIPAA violation. One wonders when the next big trophy penalty will come down and if it will be enough to eclipse the RiteAide fine as the seminal moment in HIPAA penalties. I think there is more to come…
Let’s look at why HIPAA will produce much more spectacular carnage in terms of monetary and PR damage on some company that will turn into the TJX of the medical world.
First, HIPAA is s federally mandated regulation. There are bureaucrats in DC that now have a mission to audit and impose civil penalties on HIPAA covered entities (doctors, hospitals, etc) as well as all their business associates (transcribers, billers, benefit writers, CPAs, lawyers, etc). Before the ARRA bill passed the HHS secretary had discretion on whether to impose civil penalties and how much those penalties cost the offender. Now, in the spirit of Zero-Tolerance, the HHS secretary must investigate all allegations of HIPAA violations and must impose penalties on a strictly constructed schedule of fines. At the end of the table is a trigger for criminal penalties (Go to jail).
Further, the penalty monies collected now go to a special fund inside the HHS department that is tasked with enforcement. The more penalties that are collected, the more auditors can be hired to cover the HHS statutorily mandated periodic audit of the whole medical system and their business associates.
As if this weren’t bad enough, this fall the GAO has a statutory obligation to come up with a plan for how some of the penalty money paid into the HHS will get remunerated to the victims. Oh, and by the way, state Attorneys General can get in on the action too–by statute they can all go after Covered Entities and their Business Associates too!
By the way, if you leak Protected Health Information accidentally or otherwise you have to report to the HHS secretary if you lost over 500 names. They have to put you on a website and you will be famous. This will be a great resource for advocates of victims of identity breech once the GAO figures out how to kick-back penalty money to them.
Holy Repression batman!
The one silver lining here is that if you use encryption to render any PHI that you keep or transmit you are exempt from breech notifications and all the penalties associated with breaking the rules.
BunkerMail is looking pretty good right now from where I’m sitting!
Here are my Slides from the Dallas Area Health Underwriters talk.
