HIPAA/HITECH and Data Encryption

While specific measures of data encryption are not explicitly addressed in the HIPAA and HITECH Acts, the topic is far from irrelevant. With regard to security considerations, organizations that work with electronic personal health information (ePHI) must be aware of the Breach Notification Rule. That is, covered entities and business associates must issue notification of a breach when the accessed information was left unsecured. Those organizations which properly encrypt their data need not issue such notification. The Security Rule allows some flexibility, stating that data need not necessarily be encrypted, though equivalent measures of protecting ePHI must be taken.

There are additional considerations which must be made by covered entities and business associates to ensure compliance with the HIPAA and HITECH Acts. Those organizations must be sure to assess all security risks in order to determine where the greatest risks lie and subsequently what data should be encrypted. Next, those organizations will need to select an EHR vendor that will adequately protect that data. That vendor should be able to facilitate secure communication between patients and the associated covered entity or business associates, clean “viewing devices” such as tablets of ePHI, and also allow select patients access to their personal health records as needed (Anderson, 2013). Not all HER vendors offer such services, and care ought to be taken in assessing the security requirements of a particular organization.

Risk assessment and the selection of an EHR vendor are significant strides toward HIPAA and HITECH compliance, but covered entities and business associates are often still unclear as to what specific data or devices should be encrypted. While the details of organizations’ security policies will surely differ we recommend that all mobile devices, all easily-accessible servers and desktops, and USB drives be encrypted. Backup tapes and other backup storage devices should also be encrypted, in case those devices are lost in transit.

Once an organization makes the decision of what data should be secured, they may discover a variety of challenges in implementing the encryption of that data. Reviewing where ePHI is stored and the level of risk that the data would be breached should constitute the bulk of that assessment (Anderson, 2013). Only then is it possible to choose from the various methods and technologies for encrypting data both at rest and in transit. Not all solutions are considered “best practices” by the industry. LaSalle Consulting Partners has reviewed and evaluated various encryption options and assisted many clients with implementing solutions that are responsive to HIPAA compliance.

If you are interested in learning more about how to effectively implement security measures in your organization, the National Institute of Standards and Technology (NIST) published a Guide to Storage Encryption Technologies for End User Devices that can assist in your efforts.

Anderson, Howard. "Encryption: Four Essential Steps - HealthcareInfoSecurity." Healthcare infosec news, training, education - HealthcareInfoSecurity. N.p., 15 May 2013. Web. 30 May 2013. http://www.healthcareinfosecurity.com/encryption-four-essential-steps-a-5755.

Click here to request further information.

LaSalle Consulting Partners, Inc.
200 W Madison St | STE 940 | Chicago, IL 60606
312.361.3326 office | 312.361.3313 office direct | 312.543.8678 cell