56 Journal of Regulatory Compliance Vol. I
key.” 71 This is a key preventative measure because, as discussed below, the
benefits of encryption to improve a data security environment are very high
relative to the costs, although under current law encryption is classified as
“permissible” as opposed to mandatory.
Additionally, the technical safeguards include an addressable “integrity”
standard, which covers “policies and procedures to protect [e-PHI] from
alteration or destruction.” 72 This standard calls for implementation of
“electronic mechanisms to corroborate that [e-PHI] has not been altered or
destroyed in an unauthorized manner.” 73 Moreover, the “transmission
security standard”—a very important standard as it relates to incoming and
outgoing malicious internet traffic—provides for measures to guard against
unauthorized access to e-PHI that is “being transmitted over an electronic
communications network” and includes two addressable measures: ( 1)
system integrity controls to ensure that e-PHI is not improperly modified
without detection until it is destroyed; 74 and ( 2) encryption mechanisms to
encrypt e-PHI whenever deemed appropriate. 75
Overall, the technical safeguards are perhaps the most potent tools to
counter cyber-attacks against health IT infrastructure. With the use of EHR
growing exponentially, however, it is necessary to tailor the technical
safeguard regulations to cybersecurity. This can be done by mandating
standardized and cost-effective encryption and authentication processes. 76
4. Organizational Requirements
Given the nature of e-PHI, it is routinely transmitted between providers
and other organizations, whether it is for a patient referral or for billing and
payment purposes. The organizational requirements under the Security Rule
are aimed at unifying the security framework among different entities—
specifically, business associates of covered entities and their subcontractors
who handle e-PHI. 77 The regulations require business associates to “ensure
that any subcontractors that create, receive, maintain, or transmit [e-PHI] on
behalf of the business associate agree to comply with the applicable
requirements of” the Security Rule. 78 There are parallel regulations covering
the primary relationship between a covered entity and its business
71. Id. § 164.304 (2013).
72. Id. § 164.312(c)( 1) (2013).
73. Id. § 164.312(c)( 2) (2013).
74. Id. § 164.312(e)( 1)( ii) (2013).
76. See discussion infra Part IV.
77. See id. § 164.314 (2013).
78. Id. § 164.314(a)( 2)( B) (2013).