Encryption may not be required by HIPAA rules, but just because you don’t have to, doesn’t mean you shouldn’t.
In the previous articles, we talked about the very real Dr. L, who experienced identity theft and hacking of her accounts. In our ongoing series to discuss how she could have prevented this, another thought comes to mind: What if there was nothing she could do to prevent access by others, but the data she controls cannot be read?
This is the concept behind encryption. I wanted to focus today on the need for encryption, but first, we need to back up a bit and talk about HIPAA rules.
As many people know, there are two types of rules: required and addressable, and there is unfortunately a lot of confusion about these. Required is the easy one: any rule that is required means you must do it, no ifs, ands or buts; it’s not negotiable.
Addressable, though, is a bit less cut and dry. The wording is this: The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” If you believe that an addressable specification is not reasonable or appropriate, you must document your decision.
It’s important to understand that addressable does NOT mean optional! The part in the bold text is the key thing here, if it’s reasonable, you must do it. Who gets to decide if it’s reasonable? Well, you… until the day the HIPAA auditor shows up, and then they do.
How does all of this relate to encryption? Well, encryption is an addressable concern, by law it’s not required, but that doesn’t mean you shouldn’t do it. There are two reasons why I always recommend encryption:
1. The Breach Notification Rule requires you to notify all patients in writing as well as the local media if you suffer a breach of your data. If the data is encrypted, though, it’s not considered a breach and as such, you do not need to notify your patients or the local news.
2. The second reason relates back to this issue of reasonable and appropriate. My question is, how will you win the argument that it’s not reasonable and appropriate if you are ever audited? There are many versions of Windows, such as Server 2008 or Server 2012, Windows 7 Ultimate, Windows 8 Pro, etc. that contain a free encryption program called Bitlocker. There are free encryption programs like Veracrypt that will encrypt folders or an entire drive. Assuming you’re not comfortable setting these programs up, most IT companies can easily do it for around the cost of five-to-six hours of support.
The bottom line is that encryption is really something every office should be doing. It protects the security and privacy of the data, and it will protect the practice from embarrassing public notifications that always lead to a loss of patients and income. And, as we discussed with Dr. L, if you can’t completely prevent others from accessing your network, at least you can make sure that what they find is not readable.