Provided by: Jennifer Kirschenbaum, Esq.
October 2, 2018
I have not adopted encrypted email. Is that a problem?
Thanks, Dr. L
Short answer: No. Encryption is not required. However, this is a great question to highlight a new scary ruling.
Lesson of the Day - Avoid Setting you own Policy and stepping in it.. See OCR v. The University of Texas MD Anderson Cancer Center ("UT ACC"). Seehttps://www.hhs.gov/sites/default/files/alj-cr5111.pdf
UT ACC documented (somewhere, some time ago) it would adopt encryption. Didn't happen. Thereafter, UTACC Documented lost hardware over the years; specifically cited - lost laptop in 2012, lost USB thumb drive in 2012, visiting researcher losing USB Thumb Drive 2013. UT ACC fined by the government (and lost on appeal) $4,348,000 (civil money penalties of $2,000 per day for each day of a period that began on March 24, 2011 and that continued through January 25, 2013; and civil money penalties of$1,500,000 per year for the years 2012 and 2013).
During the appeal, the Administrative Law Judge lays out the issues and areas of concern clearly - 1. setting own policy; 2. failing to adhere to said policy; 3. stepping in policy.
THEN, No Encryption followed. Other protections followed, but no encryption. Judge finds: “The approaches touted by Respondent were not intended to substitute for encryption. Respondent has pointed to no facts that suggest or establish that at some point after 2008 it decided to implement alternate mechanisms other than encryption to protect its ePHI. However, even if Respondent adopted the various approaches in lieu of encrypting devices that it asserts were its mechanism to protect ePHI, those approaches failed spectacularly to protect Respondent's confidential data, with ePHI pertaining to more than 33,000 individuals being lost or stolen in 2012 and 2013.”
“As early as 2006 Respondent recognized its vulnerability to loss of confidential information including ePHI. In 2008 Respondent decided that it would encrypt its devices, including laptops and USB drives, in order to protect any ePHI that these devices contained. Encryption of devices wasn't a mechanism specifically dictated by the regulations. But, it was the mechanism that Respondent chose to protect its ePHI contained on portable devices. Once Respondent elected to utilize that mechanism, it was obligated to make it work."
ALJ acknowledges “regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this context is interpreted to mean some mechanical feature that renders these devices physically impossible to enter by any persons who are not authorized users. But, these regulations require covered entities to assure that all systems containing ePHI be inaccessible to unauthorized users. ….These regulations give considerable flexibility to covered entities as to how they protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be effective.” See https://www.hhs.gov/sites/default/files/alj-cr5111.pdf.
Order Policies and Training here:
Learn about the law and what you need by watching our Free webinars:
Webinar 1: CLICK HERE NYS Free Sexual Harassment Policies: Employer Beware (overview in 6 minutes)