Businesses in healthcare struggle with double standards, highly complex security infrastructure that is disjointed and redundant.
Lawmakers have a real hard time understanding and the terminology that is needed to enact laws around technology. A perfect example is how “encryption” is labeled as something that is “addressable” vs. “required” under HIPAA. Congress saying that encryption is not a requirement does a serious disservice to those who need to make decision for their company.
Encryption is a HIPAA requirement despite what the law says because there is no circumstance in which ePHI should not be encrypted. If your business is breached and you didn’t have the proper security controls such as encryption in place, your business is open to fines into the millions of dollars as well as nasty civil suits by those affected by a breach.
But encrypting everything is easier said than done.