To Encrypt or not Encrypt – Is It Even a Question?

Michelle Bilsky, CHCO, LHRM, MLA, CBA Vice President of Risk Management at MedMal Direct // April 07, 2017

Imagine you work for a busy medical practice.  You have been tasked with collecting on past due patient accounts.  To help you be more efficient, you decide it is best to download copies of encounters on your company issued laptop.   On your way home from work you stop at a service station.  You completely forget about the laptop that is sitting in your passenger seat.  As you get back in your car you notice the laptop was stolen.

The above scenario above is very similar to an issue that recently happened to a medical practice involving a laptop and unencrypted backup data containing ePHI that was stolen from an employee’s car.  The theft of the unencrypted data put several patients protected health information (PHI) at risk and resulted in a hefty $750,000 settlement for the medical practice.

Why Encryption?

Over the past two years, the Office for Civil Rights (OCR) has had an increase to their budget to support their audit program as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  With this increase in their budget, OCR is performing comprehensive desk audits of covered entities and business associates to ensure compliance with the HIPAA Privacy and HIPAA Security Rules.  OCR will be looking at your organization’s policies and procedures, security risk analysis, risk management, among other requirements – including encryption.

OCR has a firm stance on encryption.  While encryption is addressable to a certain extent if you do not encrypt you must have an alternative policy and procedure firmly in place to protect patient information.  As it applies to mobile devices there is no good option other than encryption or cloud-only storage.

How Encryption Works 

Under HIPAA, electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”  (45 CFR 164.304) The key or process enables decryption of the data to those authorized to view the data; thus ensuring the confidentiality and security of the PHI.

In general, there are two types of encryption when it comes to laptops and other mobile devices:  encrypted messaging software and encryption of stored data.   If you save PHI on a laptop, smartphone, tablet or other mobile devices, encrypting stored data is not a question; it’s a must.

Our Recommendation 

We recommend encryption on any devices that store ePHI.  Period – there is no alternative to encryption if you store ePHI on your laptop and the laptop ever leaves the practice location.

We recommend that if you access ePHI on your mobile device that you NEVER save your passwords on the device or in the browser you use to access the cloud-based ePHI.  If you do not save ePHI on your device and you must physically enter your password to access ePHI on the cloud AND your browser automatically deletes browsing history upon exit this ensures the protection of data.