Meeting HIPAA Security and Encryption Standards
How secure is your PHI data?
HIPAA (Health Insurance Portability and Accountability Act) are set to begin phase 2 audits in 2015, and OCR (United States Office of Civil Rights) have projected that part of the auditing process will include checking whether all systems and software that transmit electronic PHI (Protected Health Information) use encryption technology.
The HIPAA Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting patients data. As part of this requirement, they must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce
Effectively, this may sound as though encryption is not required; as within the Technical Safeguards of The HIPAA security rule, it does not explicitly state that encryption is required for data at rest or during transmission, only that both are listed as “addressable”. However, should a covered entity or business associate fail to use encryption, a satisfactory documented risk analysis must be in place that supports their decision not to employ encryption.
HHS states: “The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” By choosing not to use encryption, covered entities leave themselves wide open to breaches.
What technology is at risk of breaches?
Laptops, tablets and mobile devices that are not encrypted are all common causes of breaches, especially as these devices are most likely to be lost or stolen.
While not as likely to be responsible for a data breach, data centers that are not encrypted are susceptible to being hacked, and encryption is the best protection possible to prevent breaches of this nature.
For transmitting data between devices, email is simply not compliant and has the potential to expose organizations to enormous risk.
Cloud fax, which uses encryption and the highest levels of security to handle sensitive information, is a far better choice when transmitting PHI data.
While the terminology used by HHS states encryption is “addressable” rather than “required”, and although there will be challenges in implementing a seamless end-to-end encryption standard, the benefit of achieving an environment capable of meeting HIPAA standards will undoubtedly be invaluable should there be a breach.