Sen. Franken introduces bill to encrypt PHI on portable devices

June 29, 2012 Eric Wicklund, Editor, mHIMSS

Sen. Al Franken has introduced legislation that would require protected health information on portable devices to be encrypted.

According to a HIMSS news brief, the Minnesota Democrat's bill, named the "Protect Our Health Privacy Act of 2012" (S.3351), follows up on a promise he had made during a May 30 Senate hearing in Minnesota. At that hearing – "Ensuring Patients' Access to Care and Privacy: Are Federal Laws Protecting Patients?" – Franken, who chaired the meeting, promised to pursue legislation that would focus on patient protection and health privacy.

Franken's bill, according to HIMSS, "would require all covered entities to encrypt portable devices that store protected health information." It would also restrict medical contractors' use of protected health information and require agencies to report to Congress on any information they receive regarding privacy breaches and any enforcement action they take.

Related News

Related Resources

HIMSS also reported that Franken has sent a letter to Health and Human Services Secretary Kathleen Sebelius asking the department to release regulations for existing medical privacy laws. "It is imperative that HHS use its regulatory authority to safeguard patient data and secure patient trust," he wrote. "I urge you to issue long overdue, statutorily required guidance on the 'minimum necessity' standard, which governs the type and amount of protected health information that entities can share. I also ask that you continue to take steps to address the security of protected health information that is stored on portable media, like laptops."

Franken says there is confusion around the meaning of the 'minimum necessary' standard contained in HIPAA, and that HHS' delay in issuing guidelines "may be contributing to troubling disclosures of sensitive patient information."

In his letter, Franken said encrypting portable devices that contain sensitive health information is considered an industry best practice but isn't mandated by law – as his bill would do. Immediate action by Sebelius, he said, would help while his bill makes its way through Congress.

Franken also said he was encouraged by two recent HHS proposals – that encryption would be part of the criteria for participating in the Nationwide Health Information Network, and that participants in the meaningful use incentive program be required to conduct a security risk analysis that includes encryption practices.

"HHS should also issue guidance on a minimum standard for encryption," Franken concluded. "Furthermore, this guidance must be able to evolve to keep pace with changing technology. And HHS doesn't have to wait for Congress to act, either; with existing authority, it can update the Security Rule to require encryption of portable devices containing PHI."
 

Comments

Sabastian July 10, 2012, 11:01 am
The spirit of Senator's Frankin's Bill is welcomed, but still falls short. Because the HIPAA/HITECH act stops short of mandating encryption for protected health information 'at-rest', many covered entities tap dance around PHI assurance with checklist compliance. The legislation will best meet its intent by being device agnostic - period. The Bill should "require all covered entities to encrypt protected health information where ever it is directly accessible at the file system layer."
Jeff Brandt July 5, 2012, 10:54 am
Thanks you! Most of the apps on the markets today do noting to protect PHI. Some of the top downloaded apps do not even have a password to protect if a phone is compromised. Jeff Brandt
member of mHIMSS Security workgroup

Post new comment

* Fields marked with an asterisk are required.
No HTML code or hyperlinks are allowed in comments.
Login or create an account to save your mHIMSS profile.
By submitting this form, you accept the Mollom privacy policy.