— Encrypting Medical Records Sent On Electronic Media —
One of the most frequent questions I hear these days involves sending out medical records that used to go out in the mail on hard copy, but now go on electronic media, such as flash drives or CDs. In the old days you’d just put the records in the envelope and hope for the best. If you can do that, why would you need to encrypt electronic media? It wouldn’t be any less secure than the paper. But the Security Rule most certainly includes provisions about encryption of electronic PHI, so what should you do?
There is not a strict requirement to encrypt anything, but there are requirements to consider encryption of any PHI at rest and in motion. One of the most common ways for PHI breaches to occur involves records that are sent and are misdirected or the packaging becomes compromised. There isn't much you can do with hard copy records other than check addresses and use strong packaging, but a risk assessment of electronic PHI would probably indicate that encrypting records sent on a CD or other electronic medium is a very good idea, because it eliminates the most common cause of breaches, which can be expensive to respond to and lead to enforcement investigations.
In fact, organizations that haven’t adequately considered encryption of data at rest on portable media wind up with some of the biggest HIPAA fines that have been handed out, and risk analysis for encryption of data at rest on portable media is a target area for meaningful use attestation in stage 2. It’s also expected to be a topic in the 2015 random HIPAA audits.
So, while there is no strict requirement to encrypt, any reasonable risk analysis would indicate that you’d be nuts not to encrypt for professional communications. It is extremely do-able today with minimal effort and cost, and there are severe consequences if you don’t and something goes wrong.
When it comes to sending records to the patients, though, they do have a right to ask that you send the media unencrypted so they don’t have to deal with passwords. You should have a plan to accommodate unencrypted records the same way you would a request to communicate via plain e-mail — explain the risks (which also depend on the amount of information and level of detail), ask if they want to do it anyway, and document their assent if that’s what they want.
But it’s certainly a good idea to have the default behavior be to send records encrypted. As part of a dialogue about a records release, you may wish to inform your patients that the records will be sent encrypted with the password sent separately, and if they object, let them know they can get them unencrypted, with the explanation of risks and their approval.
For professional communications, such as between provider offices, encryption is the standard of care for electronic PHI, without question.
— New NIST Draft SP 800-171 Provides Excellent Summary of Security —
On November 20, 2015, the National Institute of Standards and Technology released the first public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations. I recommend every HIPAA Security Officer review this remarkably compact and useful draft document. It can help every organization working to secure its information systems, without overwhelming anyone. It is clear, easy to use, and fully digestible. To view the full announcement and link to the draft document, visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171
The draft is open for comments until January 16, 2015, and I encourage anyone who does have comments to be sure to pass them on, because information received during the comment period can have a tremendous impact in the usefulness of new documents. If you would like to submit comments on the draft, you can Email your comments by January 16 to: sec-cert@nist.gov
In my estimation, any Health IT shop that fully addresses NIST SP 800-171 and the SANS Top 20 Critical Security Controls ( https://www.sans.org/critical-security-controls/ ) would be one of the more secure Health IT operations in the country. It’s good to have decent tools to help you prioritize and provide the best protection you can with the resources you have available.
— Heads Down, Back To The Holidays! —
Egad! December? 2015 around the corner? I’ve already started scheduling seminars and Webinars into next June, no less! (See: http://www.lewiscreeksystems.com/upcoming_public_seminars.html ) I suppose we all have way too much work to do already so I’ll keep this short, and wish you a happy holiday season!
Jim