Medical Banking Project founder John Casillas says one of the changes in the final Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule eliminated any requirement to encrypt electronically transmitted protected health information, even over the Internet or other open networks. Encryption is now an 'addressable' implementation specification, which means a provider or payer organization must determine whether it is appropriate to use the technology. Encryption was one of many required procedures or technologies in the proposed rule that now are addressable as the Department of Health and Human Services seeks to make the final rule more scalable for health organizations of all types and sizes.
Casillas says many providers implementing the security rule likely will decide encryption is a reasonable and appropriate way to protect data, but their trading partners may not agree. One area providers will have to consider is the electronic transmission of payment information, including protected health information, between providers, payers, and financial institutions.
Encryption still a good idea
For instance, an insurer may electronically transmit to its bank a payment file containing payment instructions for a batch of claims from multiple providers. The bank will transmit the file to the banking industry's automated clearinghouse network, which transmits the payments to the appropriate banks serving the providers listed in the payment file. The individual banks then will transmit electronic remittance advices that contain protected health information to their provider customers.
Technically, under the final security rule, none of these transfers of information need be encrypted. But to protect themselves from liability, providers will have to demand that their payers and financial institutions adequately encrypt the data. 'That's inevitable,' Casillas has said. 'Providers are the ones on the line and will want to make sure their data is protected throughout the entire banking system.'
