HIPAA Compliance Series - Part 4 - Encryption and Trusts

So far we have worked our way through HIPAA in regards to who needs to understand your HIPAA policies and its importance, the importance of backups and their types, and network security. In this part of our HIPAA Compliance Series we are going to take a look at Encryption and Trusts. Encryption is one of the best ways to help further protect patient information but what should you be encrypting and why? It is very common for practices to encrypt email but did you know that email does not necessarily need to be encrypted? Emails containing patient information only needs to be encrypted if the information contained in the email is patient information and if that data is at risk for being compromised. Since many practices are not sure what emails should be encrypted and which do not need to be encrypted many times they just implement encryption on all email. This practice errs on the side of caution. If you are not one hundred percent sure your staff knows what should be encrypted and what does not need to be this may be a good practice for your practice (though your employees should definitely know what has to be encrypted...). Encryption is not normally done with data that is kept within a practices network for several reasons. The first reason is that the risk of the data becoming accessible to unauthorized parties is relatively low in comparison to system outside the company network. The second reason is the cost. While encryption software is relatively inexpensive in comparison to hardware with encryption technologies built in a practice needs to evaluate what they really need in place. The third reason encryption is not normally d

one within a network is the performance of hardware and systems. Encrypting data not only has a dollar cost for implementing the encryption technology but it has a performance cost as well. Systems encryption is running on are slower than systems not running encryption. In order for systems to access data it must be un-encrypted and then re-encrypted before storing which requires more processor power and in turn slows everything down a bit. So just what should be encrypted? Any patient data that could potentially be accessed by unauthorized individuals should be encrypted. Many times patient data has to be transmitted to other care providers, this is where trusts come into play. Any parties you do business with whether it be another physicians office, billing agencys, third party IT providers, etc should sign an agreement stating that their systems that interact with the patient information you transmit to them are secure to HIPAA standards. While you cannot physically go into another provider and audit them, you need to have the protection in place stating that they know what they should be doing and that they have the appropriate policies and procedures in place. Beyond that its really out of your control. It can be difficult to determine if everything is in place to keep your practice compliant. There is a reason for all of the documentation that goes into HIPAA and as you can see the better documentation you have the easier it is to trace what should be encrypted and what does not need to be. You can also see how documentation can be your saving grace in the event of a data breach by another provider that may have had access to data on/from your systems. If your practice is struggling through HIPAA Compliance and would like a helping hand on how to ensure your systems are properly cared for give us a call! We work with medical clients big or small in several states already and can help your practice too! www.abccomputersolutions.com

#HIPAA #MedicalITSupport #MedicalPractice #ITSupport #Toledo #ToledoOhio