Congress is going to give health care entities an exception to notify people if they get broken in to as long as they use cryptography.
A large percentage of compelled data breach notifications involve accidental data loss - an employee looses their laptop or some backup tapes get misplaced and no one can account for them. If in such cases the data was properly encrypted, it hasn't necessarily been exposed. I think its reasonable for the state to allow entities to forgo notifications in these cases. These kinds of exceptions give these entities a reason to invest in encrypting data at rest and they have motivated large scale adoption of encryption in corporate environments in recent years.
The question is - exactly what kinds of encryption are considered adequate. The Federal Register notification linked through this article says "The guidance specified encryption and destruction as the technologies and methodologies for rendering protected health information, as well as PHR identifiable health
information under section 13407 of the Act and the FTC’s implementing regulation, unusable, unreadable, or indecipherable to unauthorized
individuals such that breach notification is not required. The RFI asked for general comment on this guidance as well as for specific comment on the technologies and methodologies to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals."
If this is something that concerns you'd I'd suggest digging up that guidance and checking to see if you think the requirements are adequate.
Compliance is all about interpretation.
I'm sure that some people will get it right but there are so many ways to mess it up. For instance, if you encrypt a chunk of data that has your private key in it, you can actually extract the private key. Another example would be if you write to disk and then encrypt it as opposed to encrypting before it ever hits disk. It is the small stuff that can screw up these things...
This is not about my concerns for crypto standards as NIST and other agencies define appropriate ciphers and hashing functions, its about exceptions when competency is not a pre-requisite.
Bill In Question
Too many options exist for fuck ups. And even if the loss is accidental and encrypted, would it hurt anyone to disclose it? Even accidental loss displays a clear indicator of a potential problems.
This does nothing but weaken any consequence for a screw up regardless of the impact.
RE: Congress needs to get punched in the face!