HIPAA Title II does not explicitly require that you need to retain proof of any efforts you make to encrypt devices. However, Mike Chapple, PhD, Notre Dame’s senior director of IT service delivery, recommends you keep all records.
Encryption a major concern of HHS
The issue of device encryption took centerstage in 2014 when the HHS’s Office for Civil Rights issued penalties of almost $2 million against two healthcare firms after they reported the theft of unencrypted laptops:
Concentra Health Services, owned by Humana, agreed to a settlement of $1.7 million for failing to meet industry-standard security expectations, resulting in a breach of protected health information when an unencrypted laptop was stolen from one of its clinics, the Springfield Missouri Physical Therapy Center; and
Arkansas’s QCA Health Plan settled for $250,000 when a laptop was stolen that contained PHI – although a relatively small amount, that of 148 patients.
Amazingly, according to a Verizon report on IT intrusions, 46% of compromises involved stolen or lost equipment that was not encrypted. Healthcare is particularly at risk and should immediately take action, said Verizon.
“Covered entities and business associates must understand that mobile device security is their obligation,” explained http://www.fiercehealthit.com/story/ocr-levies-2-million-hipaa-fines-stolen-laptops/2014-04-23 OCR privacy deputy director Susan McAndrew. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
Do you need proof of encryption?
Confusion over whether proof is necessary and exactly what proof would entail was the subject of a user question asked http://searchsecurity.techtarget.com/answer/Do-HIPAA-encryption-requirements-include-PHI-devices of Notre Dame IT director Mike Chapple, PhD. Dr. Chapple advised, the HIPAA Omnibus rule did not specify that proof of encryption was necessary.
Nonetheless, it’s still a wise idea to encrypt all mobile devices – including laptops – and to keep documentation of that encryption easily accessible. “Encrypting devices that contain PHI provides a way to neatly sidestep HIPAA’s breach notification requirements if the device is lost or stolen,” said Chapple. “Quite simply, the loss of a device containing properly encrypted data does not constitute a breach.”
Specifically, you want to use a standardized encryption algorithm. A common one is the Advanced Encryption Standard, a subset of Rijndael http://stackoverflow.com/questions/748622/differences-between-rijndael-and-aes.
Why keep proof when you don’t have to? Well, we probably all know by now that cover your assets (CYA) is probably one of the most important legal concepts you can know, both for battling lawsuits and stating your case to investigators. The best way to go about encryption is via a centralized solution, said Chapple. A healthcare-exclusive cloud platform http://www.cleardata.com/solutions/healthdata-platform/ could serve as that enveloping system.
Turnkey HIPAA compliance
Do you want to explore cloud services that have the encryption you need to maintain data compliance? Then partner with ClearDATA. Our turnkey, truly HIPAA-compliant infrastructure http://www.cleardata.com/solutions/ is built to meet the ongoing needs needs of today’s – and tomorrow’s – healthcare industry.
The post HIPAA: Do You Need Proof of Encryption? appeared first on ClearDATA.