Encrypting your patients’ health information

May 10, 2013

The requirements of the HIPAA Omnibus Rule make it more important than ever for practices to encrypt patient health information.

 

Although encryption has long been part of an effective data security strategy, the Health Insurance Portability and Accountability Act omnibus rule makes it more important than ever. That’s because the requirements for reporting lost or stolen data that are unusable by anyone else are far less onerous than those for unencrypted data.
Mark Eich, a partner and director of information security for the accounting and consulting firm CliftonLarsonAllen LLP in Minneapolis, Minnesota, notes that numerous encryption tools are available through a Web search. He advises thinking about protected health information (PHI) in two forms: when it is “at rest” (stored) and when it is transmitted.


Start by cataloging where your PHI is at rest in the organization. “It could be servers, work stations, mobile devices, or all of them. That will tell you where you need to apply encryption, tools,” he says.


On his own laptop, Eich uses Windows Bitlocker Drive Encryption software, which encrypts everything on his main drive and requires entry of a user ID and password to access.


“If someone steals my computer, they’d need the encryption key to actually interact with the data,” he says. Most encryption devices automatically encrypt data when they are transferred to another device, such as a flash drive or smartphone.


Encrypting data for transmission generally requires use of a secure file server and transfer tool so that the data can only be accessed by a password or other key provided to the recipient. Eich says his firm uses a server called LeapFile to transmit PHI. After files are uploaded to the server, he sends the client credentials and a link that applies only to those data.


Although PHI also can be transmitted via standard e-mail, it is a far less secure method, and few security experts recommend it. In fact, many health systems and others dealing with PHI have blanket policies forbidding the use of e-mail to transfer it. “That’s a decision you need to make right from the start,” Eich advises.