The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) due to failure to encrypt mobile devices and other HIPAA violations. An investigation conducted following receipt of two breach reports from URMC - the loss of an unencrypted flash drive and the theft of an unencrypted laptop computer - resulted in a $3,000,000 financial penalty, a robust corrective action plan, and a two year scrutinized compliance program.
Let's be clear, hacks and data thefts, enabled by weak security, cover-ups, or avoidable mistakes, have cost several companies a total of nearly $1.3 billion and counting. For example, Anthem Health was fined $11 million for HIPAA violations and data breach. The company then had to pay $115 million to settle a class-action lawsuit regarding the same breach, and then they had to pay an additional $39.5 million for failing to safeguard its data. That is $145.5 million paid in fines and settlements for one breach.
Considering the rise in cybersecurity crimes, it makes sense to protect patient information and your own information. Under HIPAA Security, one of the various ways to protect data is referred to as encryption.
"Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula)."
Source: The Health and Human Services (HHS)
When data is encrypted, only the person or party who has the decrypt key to the code will be able to convert or translate the text into a plain comprehensible text.
Based on the risk presented by cybercriminals, Covered Entities and Business Associates must "implement a mechanism to encrypt and decrypt electronic protected health information." This means that data must be encrypted while at rest and when it is transmitted.
Keep in mind that encryption of ePHI is crucial to protect the data from being accessed and viewed by unauthorized users.