HIPAA Q&A: You've got questions. We've got answers!
HIM-HIPAA Insider, April 20, 2015
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide you with the information you need.
Q: Is there a sample risk analysis about how an enterprise or clinic might evaluate and determine if data-at-rest protection through encryption is reasonable and appropriate as defined in the HIPAA Security Rule? I have seen an example of the risk assessment done to make a decision about encrypting laptops or other edge devices. How does HHS make an evaluation on the healthcare clinic or entity that has ePHI stored on a server or on a storage device and they are trying to decide and/or justify the need to encrypt that data-at-rest? How should an enterprise or clinic evaluate and determine if data-at-rest protection through encryption is reasonable and appropriate for a server as defined in the HIPAA Security Rule?
A: There is no simple answer, and HHS does not offer guidance regarding when data-at-rest should be encrypted. However, guidance states that mobile data should be encrypted. HHS reached monetary settlements with two covered entities (CE) to the tune of approximately $2 million in 2014 following a breach caused by the loss of unencrypted laptops that were used to store PHI.
As a general rule of thumb, determine where PHI is stored and how secure storage is. If the PHI is stored on a mobile device or portable media, it should be encrypted. If it's stored on a server, the need for encryption depends on the security of the server. If the server is located in the lunch room, it would be a good idea to encrypt the data, move the server to a secure location, or both. On the other hand, if the server is located in a hardened data center, it's likely the risk to the stored PHI is low if it is not encrypted. When assessing risk, determine how easy it would be for someone to get at the PHI. The easier it is to access, the more likely it is that the PHI should be encrypted.
Determining the risk associated with unencrypted data-at-rest is a part of a full risk analysis that should be conducted annually, especially for those CEs attesting to Meaningful Use. The Office of the National Coordinator for Health Information Technology made available a simplified risk assessment or risk analysis tool that can serve as a starting place. It does not specifically focus on assessing the risks to data-at-rest, but it's a good foundation.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Q&A: Primary, principal, and secondary diagnoses
- Differentiate between types of wound debridement
- CDC alert: Screen for international travel as Ebola cases increase
- OB services: Coding inside and outside of the package
- Complications from immobility by body system
- Nursing responsibilities for managing pain
- The consequences of an incomplete medical record
- Practice the six rights of medication administration
- E-mailed
-
- CDC alert: Screen for international travel as Ebola cases increase
- Capturing start and stop times for infusions
- Differentiate between types of wound debridement
- Life Safety Code Q&A: Ambulatory care soiled utility room
- Leadership training for charge nurses
- Helping Charge Nurses understand their leadership role (Part 2 of 3)
- Five ways to safeguard your patients' valuables
- Developing a Fall-Prevention Program
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Watch for different codes for SI joint injections
- Searched