According to the Healthcare Information Security Today report, 2013 Outlook: Survey Offers Update on Safeguarding Patient Information, most healthcare organizations believe that encryption would greatly improve their data security. Forty-one percent plan to encrypt all mobile devices and removable media, while 35 percent plan to encrypt all end-user devices.
Currently, nearly 60 percent encrypt mobile devices, and only 45 percent encrypt servers or databases. For guidance on encryption to meet HIPAA compliance, the latest Office for Civil Rights (OCR) Audit Protocol provides a description of the actual HIPAA Security Rule standard:
§164.312(a)(1): Access Control
§164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.
The auditor’s actual procedures for determining if an organization has met the standard or not includes (straight from the OCR):
- Inquire of management as to whether an encryption mechanism is in place to protect ePHI.
- Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI.
- Based on the complexity of the entity, elements to consider include but are not limited to: type(s) of encryption used; how encryption keys are protected; access to modify or create keys is restricted to appropriate personnel; and how keys are managed.
If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.
So although encryption is addressable, it is considered best practice to encrypt protected health information (PHI), especially since breaches of unencrypted data must be reported to the Dept. of Health and Human Services and released to the public.
When it comes to authentication in order to gain access to electronic health records, the most popular type includes just a username and password (89 percent). Twenty-one percent require a digital certificate (SSL certificate), and only 16 percent require two-factor authentication.
Ideally, two-factor should be used for access to ePHI – although not required, it is also considered a best practice to meet HIPAA:
§164.312(d): Technical Safeguards – Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
In addition to authentication, the survey reports that only 27 percent of healthcare organizations offer patients access to their personal health records via a web portal. While 35 percent are working on it and will have one available soon, 28 percent responded that concerns about security issues have led them to delay a portal until they’re able to resolve said issues.
Have questions about patient portal security and privacy with regards to HIPAA? Join our free webinar tomorrow at 2 P.M. ET and submit your questions in advance. Attorney Brian Balow of Dickinson Wright will lead the discussion on security challenges and how to minimize risk while successfully deploying an electronic patient portal. Sign up online for Security and Privacy Concerns with Patient Portals.
Find out more about the technical, physical and administrative security requirements of HIPAA compliance in our HIPAA Compliant Hosting white paper.