Electronic Health Records


Stiffer encryption means better protection for PHI or EHR

By Kyle Murphy, PhD

If I’ve learned anything from the oil spills by Exxon Valdez and BP, it’s that cleaning up a mess is much more costly than preventing it from happening altogether. In March 13, BlueCross BlueShield of Tennessee (BCBST) was slapped with a $1.5 million fine from the US Department of Health and Human Services (HHS) for the theft of 57 hard drives from a data store in Chattanooga in 2009. The breach of the Health Insurance Portability and Accountability Act (HIPAA) has yet to have led to the misuse of protected health information (PHI) by the thieves. However, BCBST has reported its own losses as a result of the mess.

Since the breach, BCBST has spent a whopping $17 million in cleanup measures. These include investigation, notification of the breach to affected parties, and offering protection services to remediate the potential abuse of stolen data. As part of its settlement with HHS, BCBST must abide by a 450-day corrective action plan, which includes monitoring the training and enforcement of policies and procedures created and reported to HHS concerning how to safeguard patient PHI.

Among these activities was the decision to encrypt all data in storage, which BCBST deems a “voluntary effort which goes above and beyond current industry standards.” It would seem that industry standards are deplorably low if this offending organization is claiming this move as exceptional.  I would like to know what industry in particular the organization has in mind. Last time I check, HIPAA (1996) and Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 looked to encryption as the best means of ensuring the safety of digital patient information.

Given that PHI often contains SSNs (information that can affect the health of your credit score and wallet), this information needs industry-leading standards at all times. Encryption for health data needs to come standard regardless of what industry standards folks have in mind because it’s too little too late for those affected by the breach, totaling 1 million members.  We are coming to terms with the costs consumers incur because of these breaches, but shouldn’t we really be wondering how much organizations could save us and the healthcare industry as a whole by being proactive and doing a much more than the little that’s expected.

If you’re planning on taking part in BCBST’s recently launched Health Insurance Exchange, it’s wise to consider how they’ll be treating your submitted information.

Related Articles:

HIPAA violations need proactive solutions
• Health data breaches and responses
• Data migration can leave your information vulnerable
• Possible health data breach at Sheppard Air Force Base
• Oregon State Hospital security breach

Get the latest EHR News and Information delivered right to your inbox. Sign up for the free EHRintelligence newsletter. And follow @EHRIntel for daily updates.




Sign up to continue reading and gain Free Access to all our resources.

Sign up for our free newsletter and join 60,000 of your peers to stay up to date with tips and advice on:

EHR Optimization
EHR Interoperability

White Papers, Webcasts, Featured Articles and Exclusive Interviews

Our privacy policy

no, thanks

Continue to site...