Encryption - Don't Flirt and Not Commit (the OCR v. The University of Texas MD Anderson Cancer Center lesson)

Provided by:  Jennifer Kirschenbaum, Esq.

October 2, 2018

Question:

Hi Jennifer,

I have not adopted encrypted email.  Is that a problem? 

Thanks, Dr. L

Answer: 

Short answer:  No.  Encryption is not required.  However, this is a great question to highlight a new scary ruling.

Lesson of the Day - Avoid Setting you own Policy and stepping in it..  See  OCR v. The University of Texas MD Anderson Cancer Center ("UT ACC").   Seehttps://www.hhs.gov/sites/default/files/alj-cr5111.pdf

UT ACC documented (somewhere, some time ago) it would adopt encryption.  Didn't happen.  Thereafter, UTACC Documented lost hardware over the years; specifically cited - lost laptop in 2012, lost USB thumb drive in 2012, visiting researcher losing USB Thumb Drive 2013.  UT ACC fined by the government (and lost on appeal) $4,348,000 (civil money penalties of $2,000 per day for each day of a period that began on March 24, 2011 and that continued through January 25, 2013; and civil money penalties of$1,500,000 per year for the years 2012 and 2013).  

During the appeal, the Administrative Law Judge lays out the issues and areas of concern clearly - 1. setting own policy; 2. failing to adhere to said policy; 3. stepping in policy. 

“In 2007, the University of Texas System advised its subsidiaries and affiliates that many incidents involving unauthorized exposure of confidential data result from theft or loss of portable devices that contain such data. It directed that as a general principle, confidential data should not be stored on portable devices or on privately-owned devices. It added, however, that any confidential data that is stored on such devices must be encrypted using approved methods. In November 2007, Respondent issued a confidentiality policy and a patient privacy policy stating that appropriate safeguards must be taken to protect the confidentiality of patients' health information.”
See https://www.hhs.gov/sites/default/files/alj-cr5111.pdf

THEN, No Encryption followed.  Other protections followed, but no encryption.  Judge finds:  “The approaches touted by Respondent were not intended to substitute for encryption. Respondent has pointed to no facts that suggest or establish that at some point after 2008 it decided to implement alternate mechanisms other than encryption to protect its ePHI. However, even if Respondent adopted the various approaches in lieu of encrypting devices that it asserts were its mechanism to protect ePHI, those approaches failed spectacularly to protect Respondent's confidential data, with ePHI pertaining to more than 33,000 individuals being lost or stolen in 2012 and 2013.”

“As early as 2006 Respondent recognized its vulnerability to loss of confidential information including ePHI. In 2008 Respondent decided that it would encrypt its devices, including laptops and USB drives, in order to protect any ePHI that these devices contained. Encryption of devices wasn't a mechanism specifically dictated by the regulations. But, it was the mechanism that Respondent chose to protect its ePHI contained on portable devices. Once Respondent elected to utilize that mechanism, it was obligated to make it work."

ALJ acknowledges “regulations governing ePHI do not specifically require devices to be encrypted if "encryption" in this context is interpreted to mean some mechanical feature that renders these devices physically impossible to enter by any persons who are not authorized users. But, these regulations require covered entities to assure that all systems containing ePHI be inaccessible to unauthorized users.  ….These regulations give considerable flexibility to covered entities as to how they protect their ePHI. Nothing in those regulations directs the use of specific devices or specific mechanisms by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be effective.” See https://www.hhs.gov/sites/default/files/alj-cr5111.pdf.
 
 
*************************************************************