Encrypting your medical records, communications and documents can add a deeper layer of security to the protected health information (PHI) that you share and store. When you encrypt data, you’re obscuring it from unauthorized users, making it less likely to be seen by others.
If you’re thinking of launching an encryption policy at your practice, it’s important to know the pros and cons.
Pro: It Keeps PHI Safe
Encryption makes it impossible for others to read your data. The encryption process converts the information to another language, which can essentially be “unlocked” if someone uses the “key” – which is typically a password that unscrambles the data and allows it to be accessed and read.
When you encrypt the sensitive information you have in your medical records and communications, you’re helping to ensure that it doesn’t fall into the wrong hands. This is not only a good practice for medical offices that want to keep patients happy, but it can protect you from the fines and breach notifications you’ll face if you violate the HIPAA patient privacy rules.
Possible places you might encrypt data include:
- Data stored in your electronic health records
- Information you email to other practices, patients, insurers, billers, outside vendors and anyone else
- Text messages with other providers, patients and insurance reps
- Data stored on your hard drive or other electronic means
If your phone, computer, electronic health record tablet or any other devices fall into the wrong hands, the data on it would not be accessible to the recipient if you encrypted it. The same is true if a hacker is able to access your devices due to devious means. Encrypting is a way to protect your PHI from prying eyes.
Pro: You’re Exempt From Breach Notifications If Encrypted Data Gets Out
If your electronic files fall into the wrong hands, you must go through the trouble of notifying affected individuals, the government, and often the public about the PHI breach—but the government has one caveat. If encrypted data falls into the wrong hands, the government doesn’t consider it a breach, so you don’t have to notify anyone. That alone could make up for the time and money you’d spend encrypting your data and communications.
Con: Encrypting Can Be Expensive, Time Consuming
Contrary to popular belief, encryption is not actually mandatory according to the HIPAA Security Rule. If you perform a risk assessment and determine that you are already appropriately safeguarding your PHI through another method, you should document that decision, along with your rationale and your alternate method of securing PHI.
However, keep in mind that the HIPAA Security Rule was written in 2002, before providers began routinely emailing and texting with patients, back when personal cell phone and email use was quite limited. In today’s landscape, it would be hard to justify that another security method is as good as encryption in securing that data.
Practices that don’t encrypt because they don’t want to spend the time, money and resources to install an encryption program and train staff how to use it should perform another risk assessment. Most practices would be hard pressed to claim that their practice is impenetrable through electronic means. Without encrypting data, can you really know that it’s safe to send to patients and other entities over text, email or drive sharing methods? If not, then your risk assessment indicates you should be encrypting.
The bottom line: Every practice must make the personal decision on whether encryption is the right choice for them, but for many providers, the pros of encryption far outweigh the cons, leading them to employ an encryption process that secures sensitive patient data.
Want to know more about maintaining HIPAA-compliant documentation and communications? Watch as security expert Iliana Peters, JD, LLM, CISSP, shares plain-English tips on keeping your data secure and avoiding breaches. During her 60-minute online training session, HIPAA Compliant Texting & Emailing: Avoid Practice Audits & Penalties, Iliana will share what practices must know to stay HIPPA-compliant.
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|