To address the question of whether or not to use data encryption when it comes to meeting HIPAA compliance and keeping patient health information (PHI) protected, let’s revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA):
A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))
If you choose not to encrypt data, the HIPAA Security Rule states you must implement an equivalent solution to meet the regulatory requirement. The law leaves encryption open to interpretation since covered entities vary when it comes to network and network usage, depending on the type and size of business.
While HIPAA and HITECH address the security and privacy of PHI with more of a policy and procedures-oriented approach with no strict parameters for what type of technology to use, encryption is typically considered a best practice when it comes to protecting sensitive data.
A few recommendations when it comes to data encryption:
- Don’t use public FTP (File Transfer Protocol) if you need to transfer patient data to and from payers or other business associates.
- To err on the safe side would be to combine two methods of encryption – send encrypted files over an encrypted connection.
- When it comes to remote access to applications and data in cases of telecommuting or working from remote locations, use a VPN (Virtual Private Network). This network creates a temporary encrypted connection that only exists during the time of use.
- Always use SSL (Secure Sockets Layer) for web-based access to any sensitive data.
- Keeping sensitive data on a portable device is not recommended – it is better to store your data in an offsite location with a secure environment, such as a HIPAA compliant data center with the proper physical and network security in place to protect PHI and prevent a data breach. This is a lesson learned as shown by the case of the Sutter Health HIPAA breach due to a stolen unencrypted desktop PC. An audited HIPAA hosting solution can also offer greater protection with additional security measures such as a virtual or dedicated firewall, backup, antivirus and OS patch management.
- However, if a portable device needs to be encrypted due to stored sensitive information, file/folder level encryption and full disk encryption (FDE) are both options to keep data safe while stored locally.
- When it comes to mobile devices that store data including CD’s, DVD’s, USBs, iPods and Blackberry’s, encryption of the data on the device can help protect against a HIPAA breach. Other options include putting in place a policy for mobile device use and PHI storage, limiting certain data from being stored on the devices, or implementing access controls to the device, including password protection.
- Data at rest needs to be encrypted as well – this includes data stored on disk drives, backup tapes, or servers since they can be accessed from remote locations and in the physical location if not properly locked/secured.
- Following the NIST (National Institute of Standards and Technology) standard, called the Advanced Encryption Standard (AES) for encryption is considered another best practice.
- Other methods that can help you determine if you need encryption include completing a HIPAA risk assessment, performing a gap analysis to find out what you’re missing in your current security environment, and developing and documenting solutions to become more resilient to the risk of a data breach.
Find out more about the Benefits of HIPAA Compliant Hosting and basic definitions in our HIPAA Glossary of Terms. Get examples of HIPAA training, privacy policies, procedures and forms from established HIPAA compliant medical centers and universities in our HIPAA Resources section.
Looking for more information on HIPAA IT requirements, recommendations, and the foundation of a secure HIPAA compliant data center?
Download our HIPAA Compliant Data Centers white paper now for a complete guide to HIPAA hosting with IT vendors.
Read more on HIPAA and encryption in:
HIPAA Encryption in the Cloud: Don’t Sacrifice Performance for Security
Earlier this year, OCR (Office for Civil Rights) Director Leon Rodriguez was quoted on the topic of HIPAA encryption: “…regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an … Continue reading →
Get Ready for HIPAA Audits with Encryption & A Risk Analysis
Remember the pilot HIPAA audit program conducted by the OCR (Office for Civil Rights) last year? HealthCareInfoSecurity.com reports on the findings, as revealed in an interview with an OCR attorney. About 44 percent had issues with their uses and disclosures … Continue reading →
High-Capacity, Encrypted HIPAA Clouds for Medical Imaging Data Security
A recent healthcare data breach was reported by HealthDataManagement.com as a result of a stolen unencrypted laptop, a component of a diagnostic imaging machine. Retinal Consultant Medical Group notified patients that their names, DOBs, gender, race and optical coherence tomography … Continue reading →
Or check out all Encryption articles here.