Encryption Policy

If your laptop is stolen, you are required to report this as a PHI Breach to every patient that might have their data on your laptop. You must also report this to the Secretary of HHS and you may need to also tell the local media.

You can avoid this extremely embarrassing issue by encrypting your laptop.

This gives you Safe Harbor…which is a fancy way of saying, if your laptop is encrypted, you don’t have to report that you had a PHI Breach.

We highly discourage storing ePHI, or any sensitive data, on a mobile device that is not encrypted…even if that device never leaves your office.

The biggest breach threat over the years has been a lost or stolen laptop.
This is also the easiest thing to fix.

Your encryption focus needs to be on the following items: laptops, tablets, thumb drives, external hard drives, DVDs and other items you may have PHI stored on.

The Regulations says to conduct or review a security risk analysis and implement updates as necessary and correct identified security deficiencies as part of this analysis.

Simply, you must conduct a Risk Assessment on your office and the way your practice operates.

It means you are being pushed into HIPAA compliance via Meaningful Use.

…Don’t worry
…We’ve made this easy for you.

Our Meaningful Use Risk Assessment is a paint-by-numbers simple process to ensure you are compliant with this requirement.

Additionally there are Policies and Checklists for the following:

CFR 164.304 Encryption: the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

CFR 164.312 (a)(2)(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

CFR 164.312 (e)(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Addressable: This basically means, you don’t have to do it, but if you don’t, you need to have a really good reason, and document that reason for why you don’t have to follow the requirement. There are very few requirements that implementation of addressable would get you out of.

The government explanation is when a standard includes addressable implementation specifications, a covered entity or business associate must—

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and

(ii) As applicable to the covered entity or business associate—

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate—

$(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

$(2) Implement an equivalent alternative measure if reasonable and appropriate.