If you are an IT professional or otherwise know Internet standards, you are probably familiar with SSL (secure sockets layer) security certificates and the concept of encryption. Essentially, any encryption method scrambles data using an intricate codification system and decoding protocol. For example, in the case of SSL certificates, a public key is held by the server, and a private key is provided to each user.
Let’s look specifically at how data encryption applies to protected health information (PHI), which, in a fundamental sense, means EHR/EMR (electronic health/medical records). Clearly, this type of data must be kept under digital “lock and key” due to its profoundly private nature.
Is data encryption mandatory?
As Donald F. Lee III of Algonquin Studios establishes, encryption is not necessary – technically – under the HIPAA Security Rule (the section that addresses encryption standards). Lee points out that the Rule does not state outright that data must be encrypted at any stage of the process. Both of the subsections that address encryption specifications (each contained in the Technical Safeguards section of the Security Rule) list the encryption recommendations as “Addressable” rather than “Required.”
Regardless of Lee’s initial argument, he points out that Health & Human Services clarifies on the Frequently Asked Questions (FAQ) section of their site that lack of encryption would necessitate a sound explanation. Since it would be challenging to argue that data should not be encrypted for its protection, Lee makes clear his central thesis: Yes, you do need to encrypt, even if the Security Rule is somewhat confusing in this regard.
What HIPAA itself states regarding encryption parameters
HHS describes acceptable methods for protecting unsecured data in its advice to comply with the Breach Notification Rule. The guidance lists two different ways to protect data: encryption and destruction. Since the general concern of those with PHI is creating a secure environment for data currently being stored or processed, encryption is the relevant method.
HHS, citing the Security Rule, notes that encryption is described as a process to change data into a different state. It is highly unlikely that it can be understood without the applicable decryption tool. HHS also points out that whatever is being used to decrypt the data must be on a separate machine or somewhere off-site. The stipulations for HIPAA database storage and data transmission are both subject to the specifications of the National Institute of Standards and Technology (NIST).
Specific suggestions for encryption
You may have heard across-the-board suggestions such as, “Don’t store or process any PHI on a laptop.” According to Mike Semel of 4Medapproved, that’s not necessarily the case. It would be best if you had proper protection. Semel suggests that you can either encrypt files individually or do the entire hard drive as a whole. To do the latter, you can use software that automatically encrypts all the data on the drive, called full disk encryption (FDE).
Specifically, Semel recommends using an encryption program on a laptop with a solid-state drive (SSD). You can convert an existing laptop to solid-state for this purpose. He notes that even if the computer were stolen, you still would not be in violation because the new owner would not be able to access the data.
He also specifically suggests setting up a virtual private network (VPN) to access the data remotely so that the Internet connection is not vulnerable. He points out that even if someone can see the data passing back-and-forth on the VPN, none of it will be in a recognizable form.
Mobile devices vs. servers
Any mobile device, including a laptop, needs to be encrypted. Specific issues with this “client-side” of HIPAA infractions are critical and have received significant focus from the HHS.
The other place where you may have an issue is the server-side. That may seem obvious to you, but Lee believes that mobile encryption is more widely applied than is server encryption. For the most part, HIPAA breaches have occurred because a computer has been stolen that did not have the data properly encrypted. Hacking (commonly considered a true “data breach”) has not been as common as a threat.
Unfortunately, more widespread hacking is probably on the horizon, says Leon Rodriguez, who directs the Office of Civil Rights, the branch of the HHS that oversees HIPAA compliance. Again, though, if the data is encrypted within the server, the thief won’t have any usable data.
As you can see, data encryption is not just important at your facility but also in your server infrastructure. Atlantic.Net can walk you through the process of HIPAA Compliant Hosting. With three decades in the hosting business and a full range of security and auditing certifications, including SSAE 16 (SOC 1) TYPE II (Formerly SAS 70), we know how to keep your patients secured, prevent fines, and protect your reputation with award-winning Dedicated Hosting and Cloud Hosting.
Comic words by Kent Roberts and art by Leena Cruz.