Encryption is fundamentally important to meeting the guidelines of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Encryption is critical to meeting HIPAA compliance because encryption cloaks your most sensitive data from unauthorized viewing. This digital process uses standardized protocols to scramble all the data that is transmitted by a user into a code that makes it undecipherable. In other words, encrypted information is unreadable to any computer peering (accessing it) between the source and destination. Only the person sending the message and the one receiving it can see what is being communicated. In order to decrypt the information back into readable information, digital tools called keys are needed. Keys let the sender and receiver see the data and, afterwards, encrypt it again so that no one else can see it.
If hackers steal data that is unencrypted, they can immediately access, read, and use it. Encryption is needed to protect data from being stolen in a form that would be usable to the thieves. Though hackers could steal data in innumerable ways, encryption is a strong backup defense, making stolen data extremely difficult to use due to the necessity of decryption either through time-consuming and sometimes prohibitive brute force or acquisition of the keys.
How encryption relates to HIPAA rules
As the Health and Human Services Department (HHS) notes, encryption effectively lowers the probability that someone who is not the intended recipient would be able to convert the transmission into something readable. The agency recognizes encryption as a best practice even though it does not require the practice explicitly.
To understand how encryption achieves HIPAA compliance, we look at one of the four primary pillars of the Security Rule, as indicated by the agency’s summary of the topic: an organization must detect and provide safeguards to defend against any elements that might compromise data security or integrity. To meet that parameter, one of the best tools at the disposal of covered entities and business associates is encryption.
What could happen if data is left unencrypted
As stated above, you do not technically need encryption, but skipping it would require an alternate method to safeguard the data since you still must meet the guidelines of the Security Rule. If you do not encrypt or otherwise protect the information from compromise, you could end up with fines, and you could lose revenue.
As indicated by the American Medical Association, HIPAA civil fines range from $100 to a $1.5 million annual maximum, depending on number, intent, and nature of violations. Also, depending on the violation type and intent of noncompliance, criminal fines could be as high as $250,000, potentially coupled with a prison sentence of up to 10 years. Beyond the fines, a 2015 report highlighted by Healthcare Informatics Magazine found that $305 billion of patient revenue would be lost over the next five years due to data breaches.
Encrypting data while it is moving & standing still
There are two types of data protection that are discussed within HIPAA’s Security Rule: protection for data in transit and protection for data at rest. Since there are different factors related to each, it is a good idea to deal with each of them separately in your plans and policies.
Data in transit is information that is moving from one system to another. If you are a healthcare provider sending claims to either a payer or a clearinghouse, that information is data in transit. Encryption should be used any time ePHI is moving. You can use software to encrypt it at the level of the client, encrypt with an SSL certificate at server level, and even use more complex methods. In order to comply with the requirements for data in transit, you want to think about all types of data transmissions you have so that you can verify encryption is applied to each.
Data at rest also must be encrypted. In order to achieve encryption of data at rest, you store the information in an unreadable form. To start thinking about the encryption of data at rest, the initial jumping-off point is mobile devices – and that includes laptops. Eventually, you want all stored health data to be scrambled. All computing devices that contain any ePHI should be encrypted.
Encryption’s importance underscored by Omnibus Final Rule
Encryption has really been a best practice since the inception of the law – as indicated by May 2013 comments from HIPAA training firm Kardon Compliance suggesting that encryption should occur, to some degree, on all devices.
Encryption was certainly being broadly advocated to avoid HIPAA violations and protect patient data at that time (i.e., prior to passage of the HIPAA Omnibus Final Rule). However, the value of encryption in the eyes of the government became even more apparent with that set of rules from the US Health and Human Services Department (passed in January 25, 2013 and effective on September 23, 2013). One of the key stipulations within the Omnibus Rule was encryption of ePHI to avoid unauthorized access in the event of theft or loss.
Two-part strategy to encrypt ePHI
A major reason you should care about encryption is that the HHS’s requirements for unencrypted information are much stricter than they are for encrypted data. Mark Eich, head of information security for Minneapolis accounting company CliftonLarsonAllen, suggested that it is a good idea to use the above critical distinction of “at rest” and “in transit” when conducting a risk analysis to review your encryption needs.
Step 1 – Catalogue data at rest. Think about where your data is – both on the client side (mobile devices and workstations) and server side (the servers). Once you know where the patient data is, you know what you need to encrypt. Eich encrypts his entire hard disk drive, with login credentials required to use the PC. “If someone steals my computer,” Eich said, “they’d need the encryption key to actually interact with the data.”
Step 2 – Consider data in transit. In order to properly achieve encryption in transit, you typically will need a secure file server and transfer software. You only want the data accessible via password or some other type of key entered or provided by the receiver. Once files are uploaded to a secure server, it is possible to send out a link so that people can access the environment with the proper username and password (or through other means).
Launching your HIPAA-compliant system
Are you in need of a system through which you can safeguard healthcare data – to avoid fines from the federal government and to prevent the other negatives of a data breach? At Atlantic.Net, our HIPAA-compliant hosting is backed by fully audited HIPAA, HITECH and SOC 1 & SOC 2 certified infrastructure. Get a free consultation today!