Blog: Chronicle of Data Protection | 21 May 2010

HIT Policy Committee Workgroup Recommends Encryption Mandate

The Health IT Policy Committee’s Privacy and Security workgroup has recommended that patient data exchanged between providers for treatment purposes be governed by policies that “at least” include encryption. The HIT Policy Committee is a federal advisory committee established to provide guidance to the Office of the National Coordinator for Health IT (ONC) on health IT policy issues, and its privacy and security workgroup is charged with addressing the privacy and security issues involved in developing a framework for the exchange of health information.

According to the workgroup’s recommendations, encryption ideally should be required when there is potential for transmitted data to be exposed. The workgroup proposed that the encryption mandate come through either the meaningful use and certification criteria; or through modification of the HIPAA security rule.

In addition to encryption, the group recommended that provider-to-provider exchange be governed by policies that include “limits on identifiable (or potentially identifiable) information in the message” and “identification and authentication.” According to the workgroup, “if strong policies are in place and enforced, we don’t think that the above scenario needs any additional individual consent beyond what is required by current law."

If such recommendations are adopted and an encryption mandate imposed, this would have significant and far-reaching consequences for providers. We will continue to track the status of these recommendations as they evolve.