Health Information Management

HIPAA Q&A: You've got questions. We've got answers!

HIM-HIPAA Insider, April 20, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide you with the information you need.

 
Q: Is there a sample risk analysis about how an enterprise or clinic might evaluate and determine if data-at-rest protection through encryption is reasonable and appropriate as defined in the HIPAA Security Rule? I have seen an example of the risk assessment done to make a decision about encrypting laptops or other edge devices. How does HHS make an evaluation on the healthcare clinic or entity that has ePHI stored on a server or on a storage device and they are trying to decide and/or justify the need to encrypt that data-at-rest? How should an enterprise or clinic evaluate and determine if data-at-rest protection through encryption is reasonable and appropriate for a server as defined in the HIPAA Security Rule?
 
A: There is no simple answer, and HHS does not offer guidance regarding when data-at-rest should be encrypted. However, guidance states that mobile data should be encrypted. HHS reached monetary settlements with two covered entities (CE) to the tune of approximately $2 million in 2014 following a breach caused by the loss of unencrypted laptops that were used to store PHI.
 
As a general rule of thumb, determine where PHI is stored and how secure storage is. If the PHI is stored on a mobile device or portable media, it should be encrypted. If it's stored on a server, the need for encryption depends on the security of the server. If the server is located in the lunch room, it would be a good idea to encrypt the data, move the server to a secure location, or both. On the other hand, if the server is located in a hardened data center, it's likely the risk to the stored PHI is low if it is not encrypted. When assessing risk, determine how easy it would be for someone to get at the PHI. The easier it is to access, the more likely it is that the PHI should be encrypted.
 
Determining the risk associated with unencrypted data-at-rest is a part of a full risk analysis that should be conducted annually, especially for those CEs attesting to Meaningful Use. The Office of the National Coordinator for Health Information Technology made available a simplified risk assessment or risk analysis tool that can serve as a starting place. It does not specifically focus on assessing the risks to data-at-rest, but it's a good foundation.
 
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

 



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular