As covered previously, it is important to ensure physical data safety, individual device protection, and network protection when meeting HIPAA compliance requirements. There are many methods in place for ensuring this type of protection, but in the rare and unfortunate event that all security protocols and systems fail, the data itself must be protected.
HIPAA’s Data Encryption Regulation
The number one way to ensure that data is protected in the event of systems failure is to encrypt the data. Not only will this ensure that data is not accessed by attackers, it can also help save your employees from potential liability. If employees are required to handle data, it is better for everyone involved if it is properly encrypted. Data encryption practices are also a HIPAA regulation that must be followed by all healthcare providers. HIPAA requires that all data must be encrypted, and that the tool or software used to decrypt information must be kept at a location other than the provider’s office and on a device other than the one that is being encrypted.
Where Data is Circulated
All relevant data and patient health information must be encrypted. While there are many commonly known places that data is circulated, some are less obvious. Data can be circulated through any programs that have full or partial permission to access data, such as a patient database. However, any program or device that comes into contact with the smallest piece of personal health information must be recorded and secured. This includes even small applications used in day to day operations, such as calendar systems, email alert systems, servers, backups, and others. In addition, any data stored in a database or general electronic files must also be encrypted, along with any applications used in accordance with these sources. Any data created in applications, even information such as appointment times and potential notes, must be protected, kept confidential and encrypted.
Type of Encryption
A full-disk encryption is usually recommended for data protection, but there is no specific regulation that specified which encryption method must be used, though this may change in the future. For safety reasons, the industry standard or better is recommended. This means AES 127 or AES 256 or better. Other encryption methods are also available, but are required to be advanced enough to avoid allowing personal health information data to become vulnerable to attackers.
Reporting Misused Data
In the event that information is somehow stolen, the breach must be reported to proper authorities as required by HIPAA regulations. Data can be stolen physically, or by accessing network data through hacking. If proper safety standards are met, the encryption used will stop attackers from being able to access the data. In extreme circumstances, a secure destruction can be used to make stolen data unreadable. Again, if appropriate, advanced encryption is put in place, it should prevent hackers from being able to access personal health information protected through HIPAA regulations.
For more information about encrypting data and HIPAA regulations, please contact tekRESCUE, located in San Marcos, TX.