Encryption is a method of ‘scrambling’ data so that it cannot be read or used except by the intended recipient. Covered entities are required to encrypt Protected Health Information (PHI) “whenever deemed appropriate” which is intentionally open to interpretation. This is to allow the requirement to be both scalable and evolve with the pace of technology.
When trying to protect PHI encryption is vital in order to prevent the information being readable if it is stolen. An intercepted email, if encrypted, won’t reveal PHI. A stolen laptop can’t have its data read if the hard drive is encrypted. Even flash drives should be encrypted if they are carrying PHI. Strong encryption should be used any time PHI is entering or exiting a business via electronic means, either through an email attachment or file sharing technology.
Not having appropriate encryption in place can lead to not only the loss of data but also fines levied by the OCR as a result of violating HIPAA rules. There have been several examples of fines levied after a laptop was stolen from an employee’s vehicle. Because that laptop was not encrypted, and contained PHI, the incident represented a preventable breach. Had the laptops been encrypted, the PHI would have been considered safe and no breach need be reported.
Healthcare Technology Advisors understands that each practice will need to consider what the appropriate level and method of encryption is for their environment, which is why we work so closely with our clients to align technology with their business goals. Whatever the solution, it should include strong encryption for all laptops, workstations, and server disks, emails containing PHI, and methods of transferring PHI between covered entities and business associates.