Perhaps one of the most significant changes to the HIPAA Security Rules is the requirement for HIPAA Covered Entities and their Business Associates to provide notification in the event of any breach/exposure of unsecured/unprotected personal health information (PHI). Who has to be notified? Well, of course, you'll need to notify the affected individual(s) and the HHS, but you may also have to notify the police/authorities . . . and depending upon the size of the breach even the media and no one wants that kind of publicity!
HIPAA guidelines recommend all PHI should be encrypted "while in motion and at rest".
What's PHI "In Motion"?
Simply put, if you send an e-mail (in motion) with PHI, it must be encrypted so that only the recipient can read it. The same holds true for texting and IMing. When you get any electronic communication, it should be stored in encrypted format or on an encrypted device. Transferring PHI information from one location to another electronically? Yes, indeed! Moving data around on a Flash Drive? Yup, encrypt it! Notebooks with PHI should have the hard drives encrypted or at least the PHI files should be. Un-protected notebooks with PHI exposed seem to be a leading point of exposure. (Remember, statistically 1 in 10 notebooks are stolen each year.)
I was working with a C-Level executive at an extended care facility who, when I brought up texting as PHI in motion and the risks in a meeting said "Oh, we don't do that!" and his Director of Nursing corrected him saying "Oh, the nursing staff passes messages to each other all of the time that way!" Don't just assume your staff doesn't pass PHI via text, e-mail or IMing. Check first. You may be surprised.
Let's talk about PHI data on your server. (Data at Rest)
What about my server, you ask? Servers can't be encrypted, can they? The answer is a straightforward Yes, although your tech guys may be resistant because they've never done it before. Most major data base programs like Microsoft SQL, MySQL and so forth have the built in capability to encrypt your data stored. Current versions of Microsoft Server software also have the ability to encrypt the server hard drives or certain partitions of it that can store your PHI at a very high level that meets or exceeds HIPAA standards.
If I'm not absolutely required to encrypt my data bases on my servers, why should I bother? The answer is spelled out very clearly in the HIPAA compliance requirements. If you have a breach and it's "unprotected" by encryption, you're subject to all of the reporting requirements of the ACT(s) AND are subject to potentially significant fines. If your breached data is "protected" by encryption, your not. Seems like a pretty easy decision, doesn't it?
Would you like more information on this topic? Here's a link to a nice article by the AMA:
http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf
No comments:
Post a Comment