If you are an IT professional or otherwise have knowledge of Internet standards, you are probably familiar with SSL (secure sockets layer) security certificates and the concept of encryption. Essentially, any encryption method scrambles data using an intricate codification system and decoding protocol. In the case of SSL certificates, for example, a public key is held by the server and private key is provided to each user.
Let’s look specifically at how data encryption applies to protected health information (PHI), which in a very basic sense means EHR/EMR (electronic health/medical records). Clearly it’s crucial that this type of data be kept under digital “lock and key” due to its profoundly private nature.
Is data encryption mandatory?
As Donald F. Lee III of Algonquin Studios establishes, encryption is not necessary – technically – under the HIPAA Security Rule (the section that addresses encryption standards). Lee points out that the Rule does not state outright that data must be encrypted in any stage of the process. Both of the subsections that address encryption specifications (each contained in the Technical Safeguards section of the Security Rule) list the encryption recommendations as “Addressable” rather than “Required.”
Regardless of Lee’s initial argument, he points out that Health & Human Services makes it clear on the Frequently Asked Questions (FAQ) section of their site that lack of encryption would necessitate a sound explanation. Since it would be very difficult to argue that data should not be encrypted for its protection, Lee makes clear his central thesis: Yes, you do need to encrypt, even if the Security Rule is somewhat confusing in this regard.
What HIPAA itself states regarding encryption parameters
HHS does describe acceptable methods for the protection of unsecured data in its advice to comply with the Breach Notification Rule. The guidance lists two different ways to protect data: encryption and destruction. Since the general concern of those with PHI is creating a secure environment for data that is currently being stored or processed, encryption is the relevant method.
HHS, citing the Security Rule, notes that encryption is described as a process to change data into a different state in which it is highly unlikely that it can be understood without the applicable decryption tool. HHS also points out that whatever is being used to decrypt the data must be on a separate machine or somewhere off-site. The stipulations for HIPAA data storage and data transmission are both subject to the specifications of the National Institute of Standards and Technology (NIST).
Specific suggestions for encryption
You may have heard across-the-board suggestions such as, “Don’t store or process any PHI on a laptop.” According to Mike Semel of 4Medapproved, that’s not necessarily the case. You just need proper protections. Semel suggests that you can either encrypt files individually or do the entire hard drive as a whole. In order to do the latter, you can use software that automatically encrypts all the data on the drive, which is called full disk encryption (FDE).
Specifically, Semel recommends using an encryption program on a laptop that has a solid-state drive (SSD). You can convert an existing laptop to solid-state for this purpose. He notes that even if the computer were stolen, you still would not be in violation because the new owner would not be able to access the data.
He also specifically suggests setting up a virtual private network (VPN) if you want to access the data remotely, so that the Internet connection is not vulnerable. He points out that even if someone can see the data passing back-and-forth on the VPN, none of it will be in a recognizable form.
Mobile devices vs. servers
Any type of mobile device, including a laptop, needs to be encrypted, and specific issues with this “client side” of HIPAA infractions is incredibly important and has received significant focus from the HHS.
The other place where you may have an issue is the server side. That may seem obvious to you, but Lee believes that mobile encryption is more widely applied than is server encryption. For the most part, HIPAA breaches have occurred because a computer has been stolen that did not have the data properly encrypted. Hacking (what is commonly considered a true “data breach”) has not been as common of a threat.
Unfortunately, more widespread hacking is probably on the horizon, says Leon Rodriguez, who directs the Office of Civil Rights, the branch of the HHS that oversees HIPAA compliance. Again, though, if the data is encrypted within the server, the thief won’t have any usable data.
As you can see, data encryption is not just important at your facility but in your server infrastructure as well. Atlantic.Net can walk you through the process of HIPAA Compliant Hosting . With two decades in the hosting business and a full range of security and auditing certifications including SSAE 16 (SOC 1) TYPE II (Formerly SAS 70), we know how to keep your patients secured, prevent fines, and protect your reputation with award-winning VPS Hosting and Cloud Hosting.
Comic words by Kent Roberts and art by Leena Cruz.