WASHINGTON — Insurers aren’t required to encrypt consumers’ data under a 1990s federal law that remains the foundation for health care privacy in the Internet age — an omission that seems striking in light of the major cyberattack against Anthem.
Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish. Anthem, the second-largest U.S. health insurer, has said the data stolen from a company database that stored information on 80 million people was not encrypted.
The main federal health privacy law — the Health Insurance Portability and Accountability Act, or HIPAA — encourages encryption but doesn’t require it.
The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers.
“We need a whole new look at HIPAA,” said David Kibbe, CEO of DirectTrust, a nonprofit group working to create a national framework for secure electronic exchange of personal health information.
“Any identifying information relevant to a patient … should be encrypted,” Kibbe said. It should make no difference, he said, whether that information is being transmitted on the Internet or sitting in a company database, as was the case with Anthem.
Late Friday, the Senate Health, Education, Labor and Pensions Committee said it is planning to examine encryption requirements as part of a bipartisan review of health information security.
The agency charged with enforcing the privacy rules is a small unit of the federal Health and Human Services Department, called the Office for Civil Rights.
The office said in a statement Friday that it has yet to receive formal notification of the hack from Anthem but nonetheless is treating the case as a privacy law matter.
The statement from the privacy office said the kind of personal data stolen by the Anthem hackers is covered by HIPAA, even if it does not include medical information.
“The personally identifiable information health plans maintain on enrollees and members — including names and Social Security numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed,” the statement said.
A 2009 federal law promoting computerized medical records sought to nudge the health care industry toward encryption. Known as the HITECH Act, it required public disclosure of any health data breach affecting 500 or more people. It also created an exemption for companies that encrypt their data.
Encryption has been seen as a controversial issue in the industry. Encryption adds costs and can make day-to-day operations more cumbersome. It also can be defeated if someone manages to decipher the code or steals the key to it.
In fact, Anthem spokeswoman Kristin Binns said encryption would not have thwarted the latest attack because the hacker also had a system administrator’s ID and password.
Indiana University law professor Nicolas Terry said it seemed at the time of the 2009 law that the government had struck a reasonable balance. Now, he’s concerned that the compromise has been overtaken by events.
“In today’s environment, we should expect all health care providers to encrypt their data from end to end,” said Terry, who specializes in health information technology.
