To Encrypt or not Encrypt – is it even a question?
Imagine you work for a busy medical practice. You have been tasked with collecting on past-due patient accounts. To help you be more efficient, you decide it is best to download copies of encounters on your company issued laptop. On your way home from work you stop at a service station. You completely forget about the laptop that is sitting in your passenger seat. As you get back in your car you notice the laptop was stolen.
The above scenario above is very similar to an issue that recently happened to a medical practice involving a laptop and unencrypted backup data containing ePHI that was stolen from an employee's car. The theft of the unencrypted data put several patients protected health information (PHI) at risk and resulted in a hefty $750,000 settlement for the medical practice.
This year, the Office for Civil Rights (OCR) has an increase in their budget to support their audit program as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. With this increase in their budget, OCR will be performing comprehensive desk audits of covered entities and business associates to ensure compliance with the HIPAA Privacy and HIPAA Security Rules. OCR will be looking at your organization's policies and procedures, security risk analysis, risk management, among other requirements – including encryption.
OCR has a firm stance on encryption. Encryption is addressable to a certain extent. Deven McGraw OCR deputy director of information privacy recently said, "Addressable doesn't mean optional." She goes on to say "we expect you to address encrypting data at rest and in transmission – and if you don't, you must implement an alternative option in place." Iliana Peters, OCR's Senior Advisor for HIPAA Compliance and Enforcement doesn't pull any punches with her stance on encryption stating there really aren't any other great options for securing devices that can be lost or stolen.
How Encryption Works
Under HIPAA, electronic PHI has been encrypted as specified in the HIPAA Security Rule by "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." (45 CFR 164.304) The key or process enables decryption of the data to those authorized to view the data; thus ensuring the confidentiality and security of the PHI.
In general, there are two types of encryption when it comes to laptops and other mobile devices: encrypted messaging software and encryption of stored data. If you access or save PHI on a laptop, smartphone, tablet or other mobile device, encrypting stored data is not a question; it's a must.
We highly recommend encryption on any devices that can access, store or transmit ePHI. In the event of a lost or stolen laptop or other device, encryption or an equal alternative is your best defense. The problem with finding an equal alternative is challenging, especially given OCR officials stance of there really aren't any other great option for securing devices that can be lost or stolen.
If you have any questions or would like additional guidance for securing mobile devices with encryption or other measures, please contact one of our professional consultants.