To ensure that your organization and your clients are acting in accordance with the HIPAA Security Rule as it relates to ENCRYPTION of ePHI, I did some extensive research and found a resource written by the American Medical Association titled “HIPAA Security Rule: Frequently asked questions regarding encryption of personal health information.” The document addresses a number of questions among physicians and other health care professionals as well as other HIPAA-covered entities and business associates. Consider the below points as it relates to your usage of ePHI:
To Begin with, What Information Should You Encrypt?
Any systems and individual files containing PHI/ePHI should be encrypted. Examples include electronic medical records, claims payment appeals, scanned images, emails containing ePHI, etc.
Emails containing ePHI. If you or your clients (physicians) correspond with health insurers or other health care professionals via email and those emails contain ePHI, then you could be accused of failing to protect ePHI for which you are responsible.
Encrypt all devices containing ePHI. Passwords are not enough, especially in the event that a hard drive was removed from a laptop containing ePHI. All devices that contain ePHI, including laptops, PCs, smartphones and tablets, need encryption technology, preferably “whole disk encryption” technology.
If ePHI is accessed via the Internet, encrypt those sessions. Since data that is published on the Internet is available to the public, you need to check with your Web service provider to ensure that any PHI that travels across the Internet is protected by secure sockets layer (SSL) or similar technology.
Encrypt any other remote access sessions. If you have a situation in which physicians/staff connect to the home office remotely to read email or access other resources containing ePHI, then this access may constitute a vulnerability to unauthorized snooping. It is important that these sessions be conducted using encrypted tunnels, or VPNS.
What Happens If a Security Breach Occurs at an Organization That Uses Encryption Technology?
If the ePHI is stored and transmitted in encrypted form, then you do not need to notify patients. This only applies to HIPAA-covered entities and business associates that use encryption technologies that render ePHI unusable, unreadable, or indecipherable to unauthorized individuals.
How do Startel’s Solutions Help Organizations Protect ePHI?
Businesses that handle sensitive information are not only morally obligated to protect sensitive, private and personal information of their clients; they are legally obligated to do so. Startel’s Encrypted Email Service enables compliance with HIPAA by utilizing Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption protocol. This protocol converts email messages from a readable plaintext format to a scrambled cipher text format. Only the recipient using the private key that matches the public key used to encrypt the email message can decipher the message. If someone intercepts the message without access to the private key the email message would appear only as garbled text.
The private and public keys are the means for both encoding and decoding email messages. Essentially the unique private/public key acts as a distinctive digital signature bound to a particular email address.
In addition, the Startel Encrypted Email Service is encoded utilizing the Advanced Encryption Standard (AES) 128 Bit block size. This level of cryptography ensures security is maintained for all encrypted messages. Any attempt to “break” an encrypted message secured at 128 Bit encoding would take billions of years to try every possible combination.
Users of Startel’s Encrypted Email Service have peace of mind knowing that their messages remain secure and private during transmission and storage.
In my third blog post of this topic, I will address how Startel’s Secure Messaging application handles ePHI and specifically, how it complies with HIPAA.