As we noted previously, there are numerous requirements for HIPAA compliance. One such item is the protection of your data – while in use, at rest, in motion, or at its disposal.
PHI data can exist in many forms and is generally categorized in one of four states:
- Data in Use (data that is being created, retrieved, updated, or deleted)
- Data in Motion (data that is moving through networks, including wireless transmission)
- Data at Rest (data that exists in databases, file systems, and other storage methods)
- Data being Disposed (paper records, old electronic media, or lost/stolen electronic devices)
The key requirement for protecting your data is that in the event of a breach, you want your protected health information to be rendered unusable, unreadable, or undecipherable to unauthorized users through the use of a technology or methodology. This can be done in one of two ways – Encryption or Destruction of the data.
Encryption of Data through actual encryption is dependent upon the strength of the encryption algorithm and security of the decryption key or process. Additionally, the encryption of data on servers is different from workstations and both are different from what encryption of data on laptops and mobile devices require. The encryption of data in-motion can be performed in a number of ways as well depending upon how and where the data is being transmitted, from a local network to across the internet or even wirelessly. Obviously, encryption of data can be quite extensive. It’s important to realize and not assume, many EMR, EHRs, patient management systems do NOT encrypt the data at rest or in motion.
The Destruction of Data is also an acceptable means of securing protected health information. Paper records disposal should be accompanied with certifications of destruction. When disposing of old equipment – owned or leased, the deletion of all ePHI is required. Laptops and mobile devices present a unique problem for securing ePHI – and the ability to destroy (or delete) the data on these devices is an effective way of securing ePHI, especially in the event of theft or loss of the mobile device. To be compliant you must log when, who and how the data was destroyed.
If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check (http://cyberquickcheck.com/), This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.). Remember, this is not a full risk assessment; it is just a Quick-Check™.
Articles in the series:
- How to get Started: Risk Assessment
- Breach Detection
- Education
- Data Protections (This Article)
- Planning for Emergency Events
Sign up for our newsletter on the right side of this page to learn more and stay informed about HIPAA and cyber security.