Encrypting Protected Health Information for HIPAA Compliance
Addressable doesn't mean optional: Having an implementation plan can be helpful in case of an audit.
The Department of Health and Human Services (HHS) doesn't offer providers an exact prescription on how to comply with much of HIPAA. Certain parts of the legislation are optional, others mandatory, and some need to be addressed.
Encryption falls under this grayer addressable realm. HIPAA doesn't require providers to encrypt devices or electronic information, but one could say it is strongly encouraged.
If you determine it isn't “reasonable and appropriate,” you have to first document why you reached that decision and then either implement an alternative solution or document why your electronic protected health information (PHI) is safe without encryption or an alternative.
Encryption, however, acts as a safe harbor. If you lose PHI, send it to the wrong person, or have it stolen, it isn't considered a breach if it is encrypted. For this reason, many experts highly recommend encryption, including Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont.
“Don't be afraid of encryption,” he said. “It used to be people were scared it would fry their computers or wouldn't work. There are all kinds of options for encryption that they can take advantage of. It works well.”
Where to start
If you are wondering what needs to be encrypted in your office, Derrick Wlodarz, president of FireLogic, Inc., in Park Ridge, Illinois, has some advice: “What is every single potential place where PHI is flowing or taking place? Encrypt that,” he recommends.
Track the places where information is being passed. You may be using a cloud-based, protected electronic medical record, but do you send information via e-mail? Do you text or send things in the office on desktops or laptops? If so, you need to consider how all of these processes and devices can be encrypted.
This is the one that is most easily overlooked, Wlodarz said. The good news is it's also easily remedied. A number of vendors now offer end-to-end email encryption services.
Wlodarz said his organization considers Office 365 the “gold standard” in this space. With just a few tweaks, emails are encrypted to HIPAA compliance.
A drawback to e-mail encryption is cost, but prices are coming down as more options hit the market, Sheldon-Dean said. And, after paying an upfront cost, it is self-running and simple to use.