Dive Brief:
- Even more surprising to some than the fact that Anthem did not encrypt its medical records—which made it easier to hack, according to experts—was the fact that HIPAA's regulations do not currently require that personal health data be encrypted by providers who manage those records. A report in HealthIT Security revealed that lawmakers are starting to address this issue.
- The US Senate Health, Education, Labor and Pensions committee is taking up the debate, while New Jersey Gov. Chris Christie has already enacted a law requiring medical record encryption and Connecticut Democrats are apparently also seeking similar legislation in their state.
- At present, HIPAA regs do not specifically require data encryption. Instead, HIPAA-covered entities get to choose, based on their situation, whether encryption is necessary or another approach is more appropriate.
Dive Insight:
The Anthem hack has become the cue for every agency, governmental body, consumer group, healthcare advocacy organization and technology forum to start pushing tougher cybersecurity requirements. While the strong reaction was expected, the stampede could generate more problems than solutions, with lawmakers and federal agencies duplicating efforts with state legislatures around the country.
What would make the aftermath of the Anthem hack even worse is a resulting mish-mash of regulations and laws that vary from state to state, from agency to agency. Any additional HIPAA security regs should at least attempt to coordinate bills being drafted by Congress and work to advise individual states so there can be some parity across all the different bodies with multiple approaches to the same goal.