Encrypting PHI for HIPAA Compliance
Addressable doesn't mean optional: Having an implementation plan can be helpful in case of an audit.
The Department of Health and Human Services (HHS) doesn't offer providers an exact prescription on how to comply with much of HIPAA. Certain parts of the legislation are optional, others mandatory, and some need to be addressed.
Encryption falls under this grayer addressable realm. HIPAA doesn't require providers to encrypt devices or electronic information, but one could say it is strongly encouraged.
If you determine it isn't “reasonable and appropriate,” you have to first document why you reached that decision and then either implement an alternative solution or document why your electronic protected health information (PHI) is safe without encryption or an alternative.
Encryption, however, acts as a safe harbor. If you lose PHI, send it to the wrong person, or have it stolen, it isn't considered a breach if it is encrypted. For this reason, many experts highly recommend encryption, including Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont.
“Don't be afraid of encryption,” he said. “It used to be people were scared it would fry their computers or wouldn't work. There are all kinds of options for encryption that they can take advantage of. It works well.”
Where to start
If you are wondering what needs to be encrypted in your office, Derrick Wlodarz, president of FireLogic, Inc., in Park Ridge, Illinois, has some advice: “What is every single potential place where PHI is flowing or taking place? Encrypt that,” he recommends.
Track the places where information is being passed. You may be using a cloud-based, protected electronic medical record, but do you send information via e-mail? Do you text or send things in the office on desktops or laptops? If so, you need to consider how all of these processes and devices can be encrypted.
This is the one that is most easily overlooked, Wlodarz said. The good news is it's also easily remedied. A number of vendors now offer end-to-end email encryption services.
Wlodarz said his organization considers Office 365 the “gold standard” in this space. With just a few tweaks, emails are encrypted to HIPAA compliance.
A drawback to e-mail encryption is cost, but prices are coming down as more options hit the market, Sheldon-Dean said. And, after paying an upfront cost, it is self-running and simple to use.
Many offices now use digital faxing. Most services that provide this, Wlodarz said, aren't HIPAA compliant and have no encryption in place. If in doubt, ask your provider if they meet HIPAA guidelines and if they say it doesn't apply to them, they are wrong, Wlodarz stated. He recommends using a vendor like Sfax. If that isn't an option, a workaround here is to quit faxing information – move your electronic PHI communication to another venue like encrypted e-mail.
A free option Sheldon-Dean likes is texting. Vendors like WhatsApp not only have a catchy name, but work well for office or professional communication, he said. Most major vendors selling texting apps now have free encrypted versions. There is a caveat, though: this isn't a great form of communication to use with patients. It doesn't give the paper trail you might need for documentation.
When it comes to devices, Wlodarz recommends being safe rather than sorry. If there is data being passed through or sitting on phones, servers, laptops or other devices, it is best to encrypt them in a way that can be validated in case of a breach.
If you decide to move beyond free encryption options, the cost can be high. Wlodarz said to expect to spend $800 to $1,000 per staff member for a tech-heavy office needing a technical overhaul. Achieving compliance for offices that aren't as tech-heavy can cost less than $600 per staffer.
Many offices can get by with vendors setting up encryption services and staff managing it moving forward. Having a vendor provide ongoing support can cost $95 to $120 per member per month.
But Wlodarz said there is nothing wrong with encrypting on a piecemeal basis. Most of his clients implement it in phases, starting with mobile or email, then moving to servers, then desktops and laptops, and so on.
As with much of HIPAA, showing you have a game plan and are moving toward compliance goes far with HHS.
“If you have an overhaul plan of attack in place which can be shown as evidence in any type of audit, your chances of being fined are heavily reduced,” Wlodarz said. “Being able to prove that a genuine effort is being made is far better than being seen as upholding the status quo.”