What a shame! All those company names on the Wall of Shame! It is estimated that two-thirds of the companies on the HHS/OCR Wall of Shame would not be there had they implemented a basic control that has been around for centuries! Encryption is NOT REQUIRED by either the HIPAA Security Final Rule, nor by The HITECH Act. However, encryption effectively provides safe harbor in the Breach Notification Interim Final Rule. Learn more about what you and your company should be doing…
Advances in communications and computing technologies allow for easy information storage and transmission. But when information is sensitive, we must be careful and employ safeguards to protect it from unauthorized access, modification, and disclosure.
One such safeguard is encryption. Encryption is a procedure that scrambles information in a way that is decipherable only to authorized individuals or computers. Encryption should be used whenever sensitive data may be mobile, either online or on disk – email, electronic file transfers, laptops, USB drives, CDs, etc.
You probably already know that encryption is used when visiting certain websites that require you to log in. You may notice in your browser the “http” in the address line replaced with “https” (or in a different color), or you might see a small padlock to indicate a secure website. Just as encryption online prevents other people from seeing the sensitive data you type on the web, you should also use encryption to protect sensitive information stored on a laptop, removable disk or other portable storage, in case of loss or theft.
Likewise, if sensitive information MUST be transferred via email, encryption should be used. System administrators should also consider encrypting backup tapes, CDs, DVDs, etc., especially if sending media off-site.
The simple act of encrypting data can help avoid embarrassing situations like appearing on the Wall of Shame and other finanical, legal and operational risks. If personally identifiable information (PII) or Protected Health Information (PHI) is lost and not encrypted, most state data breach laws and the Breach Notification Interim Final Rule require notification to every person whose personal information may have been compromised.
It also places the your at significant risk of fines, incident response expenses, loss of customers/patients, and damage to your company image and reputation. Nationwide, over 218 million records of U.S. residents have been exposed since 2005.
Encryption can be applied to individual files or an entire drive. Talk with your IT team about the best encryption solution for your equipment. Examples of sensitive information that should be encrypted include but are not limited to:
- Protected Health Information
- Credit card and banking information
- Social security numbers
- Compnay financial information not for public disclosure
- Research data/intellectual property
If you need help with encryption and other security practices to keep sensitive data secure, contact your IT team.
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on HIPAA Security and Privacy reminders or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: http://clearwaterc.wpengine.com/resources/newsletters/
- Subscribing to our RSS feed: Clearwater HIPAA Compliance Blog
- Checking our company web site: http://clearwaterc.wpengine.com/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/upcoming-live-webinars/
- Attending a HIPAA HITECH Blue Ribbon Panel Live Web Event: http://abouthipaa.com/webinars/blue-ribbon-panel-live-events/
- Viewing a pre-recorded webinar: http://abouthipaa.com/webinars/on-demand-webinars/
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017