The #1 Reason for a
PHI Data Breach is a
Lost or Stolen portable storage device
You can avoid this extremely embarrassing issue by encrypting your laptop.
This gives you Safe Harbor…which is a fancy way of saying, if your laptop is encrypted, you don’t have to report that you had a PHI Breach.
We highly discourage storing ePHI, or any sensitive data, on a mobile device that is not encrypted…even if that device never leaves your office.
The biggest breach threat over the years has been a lost or stolen laptop.
This is also the easiest thing to fix.
Your encryption focus needs to be on the following items: laptops, tablets, thumb drives, external hard drives, DVDs and other items you may have PHI stored on.
What You Get
Simply, you must conduct a Risk Assessment on your office and the way your practice operates.
It means you are being pushed into HIPAA compliance via Meaningful Use.
…We’ve made this easy for you.
Our Meaningful Use Risk Assessment is a paint-by-numbers simple process to ensure you are compliant with this requirement.
Additionally there are Policies and Checklists for the following:
- Encryption Policy
- Encryption Procedure
- Encryption Best Practices
What The Reg Says
CFR 164.312 (a)(2)(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
CFR 164.312 (e)(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Addressable: This basically means, you don’t have to do it, but if you don’t, you need to have a really good reason, and document that reason for why you don’t have to follow the requirement. There are very few requirements that implementation of addressable would get you out of.
The government explanation is when a standard includes addressable implementation specifications, a covered entity or business associate must—
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
(ii) As applicable to the covered entity or business associate—
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate—
$(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
$(2) Implement an equivalent alternative measure if reasonable and appropriate.