The decision to use encryption of ePHI as a safeguard depends on several factors. The HIPAA Security Rule allows safeguarded electronic PHI transmission. After a careful analysis of their system, an organization may decide that Encryption of ePHI as a safeguard is in their best interest. The healthcare provider may then decide to use encryption as the means of protection of sensitive ePHI.
They defined the encryption standard as an addressable requirement and can be confusing. Consequently, if it is a reasonable and appropriate safeguard for the protection of ePHI it should be implemented. The entity may determine it is the best safeguard in its risk management of the confidentiality integrity and availability of ePHI. Consequently, an organization should consider the use of this and implement it in its management of ePHI. Eventually, the entity must document this in the plan.
No Specific Requirements
When they enacted the Security Rule they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards. It is up to the organization to do a careful risk assessment. Based on this they may create the appropriate mechanism to protect ePHI. Presently the use of encryption of ePHI is an effective tool. It is a good safeguard for the safe transmission of email and texts through the cloud. In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.
Alternative to Encryption
Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate. They may then present their alternative to protect ePHI. They may also decide to do neither and determine the standard may otherwise be met. The provider should document its reasons for its decision.
Many breaches of Protected Health Information are a serious matter. A breach is an impermissible use or disclosure of protected health information or PHI. Consequently, it compromises privacy or security of PHI. It is presumed to be a breach unless certain criteria are met. The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:
Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
Secondly, the unauthorized person to whom the disclosure was made.
Third, whether the PHI was acquired or viewed.
Finally, the extent to which the risk to the patient was mitigated.
There are many forms of Breaches of Protected Health Information. Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person. As a result, all entities that handle paper PHI must be aware of how important it is when sharing or disposing of this information. It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.
Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site. Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.
Consequently all of these have been the subject of Office for Civil Rights penalties.
Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.
It is important for all covered entities and business associates to review their policies. As A result they will be able to better protect PHI whether it is paper, electronic or spoken.
Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.
The Office of Civil Rights reports that healthcare data breaches increased continuously over the last few months of this year. For example, there were a total of 41 breaches in April affecting a greater number of people than previous months. The breaches affected a total of 894,874 records. Unfortunately, over the years since 2009, the number of breaches of over 500 records increased from 18 to 365. Meanwhile, 2018 was the worst in number of breaches but only the fourth in total numbers.
Unauthorized Access a Cause of Breaches
The healthcare industry continues to be a big target for hackers as healthcare data breaches increase. In 2018 there was 161% more healthcare records involved. Unauthorized access/disclosure incidents was one of the biggest cause of breaches. The mean breach size of unauthorized access increased by 115% percent. Fortunately, loss, theft and improper disposal incidents appear to have all declined. Despite the bad news it is likely that cyber security defenses have been effective in preventing hackers from gaining access to data.
Phishing is a Risk
Most importantly, the data from 2018 highlights the importance of increasing email security in addition to training employees. One main cause of healthcare breaches in the month of April was due to phishing attacks. For instance, in April nine cases of successful phishing attack related breaches were reported. Other causes are unauthorized email access and misdirected emails. In conclusion, it will be important to improve technology to prevent the delivery of malicious emails to inboxes of healthcare workers.
Exposed PHI Remains a Problem
In short, it appears that 75% of breaches affected healthcare providers, 14% health plans and 11% business associates of covered entities. Most importantly, the breaches associated with business associates were the most severe and represented 42% of all exposed records.
It is in the best interest of covered entities and business associate to promote safeguards to protect PHI and train employees on this process.