6 Reasons Organizations Fail to Encrypt ePHI
The drumbeat of HIPAA breaches in the media is incessant, and the refrain is the same: yet another PC containing electronic protected health information is stolen, so the organization is compelled to notify patients, Health and Human Services, and the media. The Office of Civil Rights swoops in, levies a 7 figure fine, and posts the offender on the HHS “Wall of Shame”, resulting in a damaged reputation and loss of future earnings.
Ironically, had the PC’s hard-drive been encrypted, the loss would have been a non-event, unreportable given the Safe Harbor provisions of HIPAA. And inexpensive encryption technology has been readily available for years. Yet, 538 or 46% of the 1,171 Breach Notifications posted on the Wall of Shame stem from the simple loss of a computer with an unencrypted hard-drive.
So, if it is so obvious how to correct the deficiency that single-handedly accounts for the most frequent HIPAA Breach Notifications, why don’t more organizations properly encrypt and protect the ePHI entrusted to them? Here are the six most common reasons we discover during our risk assessments …