HIPAA ePHI and Encryption

 

All of us deal with HIPAA in one way or another, whether it is your own information that gets accessed by others or with other people’s data that we may handle at work. HIPAA sets the standard for how we treat this sensitive information and requires that we respect other peoples, and our own, right to privacy by trying to ensure that only authorized parties are able to view said sensitive information.

This, of course, is set in a day and age where all information is easily accessed and even the United States court has stated that all computer use comes without the reasonable belief of privacy. So how can anyone with good conscience use a computer to access Protected Health Information?

encryption and good implementation of security policies.

The only answer to that is encryption and good implementation of security policies. Even with these there is no guarantee that someone without authorized access will not be able to access the data, but it is currently our only options.

If you are not familiar with encryption I will show you quick by encrypting this sentence and pasting the encrypted version below this:

EnCt2ef11b8c1be9d249
497a6da260440bc41c42
e86c5ef11b8c1be9d249
497a6da26e9vie6WpxQE
GUur/AFjaSjjBBnkU8Tf
oz8MMzPN04cFaRSu+u2k
+CpkE7qlJmQixRuU9gEi
SFR/Vvtomxdc8MVmGY5F
gNMJRe4pMB8Rc5QrHqc4
/YyoPUv5a6Vb3V3nia+T
FROs9ZN+YhZUg8WGLD3I
uAgJNx7ToEYQr3/SKOqg
LJvkkhiv0d/Qk3kmPj09
hcTBk6WU=IwEmS

toryscool

Now you can still access the information but it has been reduced into something that no one can understand. The only way to view the original message is to obtain the key to be able to decrypt it. In this case it is a statement about myself.

The only problem with encryption, other than improperly implemented encryption, is that it has to be unencrypted at some point to be viewed. It is at this stage where someone could possibly gain access to the information if it has been decrypted. For example, if you have a virus on your computer and it has a key logger it could gain access to the password for the protect health information and then be able to get it or if it has access to your memory on your computer it could just steel the decrypted file after someone opens it. It is this reason that encryption alone does not safeguard ePHI but should be used in conjunction with properly implemented security policies.

Security policies that come in the form of software such as a domain controller on a network that manages when updates happen on a computer and password policies can take the headache out of policy implementation if set up properly. Along with software assisted policy enactment you have may have other policies such as the destruction of computer hardware and shredding of monitors to comply with HIPAAs regulations.

The landscape for health informatics is ever evolving and the requirements for security may seem daunting at times because of this. There are however solutions to make your life easier.