By Dejhone Womack*
When it comes to HIPAA, (Health Insurance Portability and Accountability Act of 1996), the Federal Government has strict guidelines and penalties with regard to Protected Health Information (PHI). Once electronic transactions became the norm in today's business environment, it became essential for businesses, along with their partners, to take additional steps to ensure electronically transferred information was secure. The HITECH Amendment to HIPAA outlines the federal requirements in place to achieve this security, while protecting the integrity and confidentiality of electronic Protected Health Information (ePHI).
Electronic Protected Health Information, is considered personal and highly confidential, therefore, a high level of encryption, is necessary. With cyber crooks, identity thieves, hackers, nosy people and viruses, often lying in wait to steal sensitive information, email, inter-office communications and the internet can all be easy targets. The HIPAA “HITECH” Amendment, states that businesses who deal with Protected Health Information must, “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” To this end, there are two types of encryption, Symmetrical and Asymmetrical.
See Also: HIPAA compliance in e-email encryption.
Symmetrical Encryption essentially runs a selected file through a specified program, which scrambles the file and creates a key, the file and the key, are then transmitted to a given recipient, who uses the supplied key, (or password), to access the file. This form of encryption is also commonly called “Public Key” encryption; it is faster to use than Asymmetrical Encryption and is most commonly utilized within businesses associated with ecommerce. Asymmetrical Encryption, which is known to be more secure than Symmetrical Encryption, utilizes two separate “keys”, a Public Key and a Private Key. The public key is given to those who are expected to send or encode protected or sensitive information. The Private Key, lies with the business, or those who are expected to decode or receive information which is not meant to be public knowledge. There are many acceptable programs available, which offer highly secure levels of encryption to satisfy the above HIPAA requirement.
There is also a responsibility to, “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.” This security directive can be accomplished with software which allows users to delete sensitive data at will, within a specified time frame, or automatic deletion of data backup files, which allows a business to have more control over what is kept or destroyed. However, the previous statements go hand in hand with, “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment,” which is another requisite of the HITECH Amendment , and can be achieved with various software/hardware, backup programs available today. Redundant Raid-5 disks arrays, premium email servers and off-site backups offer additional protection.
More than ever, businesses must ensure that their employees, (especially in the medical field), know what is considered PHI, and that these employees, “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network….Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
To achieve these objectives, establish SSL-based encryption during the transmission of data to/from specified clients through Webmail, POP, IMAP, SMTP, and document storage services. Log out of sensitive information, when done viewing, which will also go a long way, in maintaining the integrity and confidentiality of ePHI.
When sending, receiving or disclosing PHI or ePHI, one of the most overlooked forms of security, is often the Contact Verification. Contact Verification, is the act of ensuring that, “A person or entity seeking access to electronic protected health information is the one claimed.” This is a very important security measure, yet is most often overlooked by those who are not familiar with the correct method for handling PHI, or the HIPAA guidelines for doing so. In order to be compliant with regulations in this regard, it is best to utilize a system of Usernames and Passwords, allowing those who “need to know”, access and control over user accounts, ensuring that only the intended recipient(s) of messages or stored documents will have access to them.
While limiting access to accounts will go a long way towards file security, businesses must also be sure to, “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction," and also further adhere to HIPAA requirements by being willing to, “Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. The use of security software to provide detailed audit trails of logins, including any dates, times, and IP addresses from which the logins are made, will increase confidentiality and compliance with federal regulations, in respect to PHI. Auditing of all sent and received email messages is also a much needed security measure, especially when dealing with ePHI.
The importance of maintaining credibility and consumer confidence in the business world is paramount. Protected Health Information is often surrendered on a restricted or “need to know” basis, with the understanding that information contained within data files, will be confidential. It is necessary to, “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity,” while being sure to institute measures which, “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” Through administrative account access, businesses can also choose to set screensavers, which log users off after a specified amount of time, serving to prevent unauthorized access, while ePHI can be retrieved through any computer in an emergency, by simply using the correct login and security information.
HIPAA, and its directives regarding the protection of Electronic Protected Health Information (ePHI), can be challenging to understand and even more difficult to implement, without a proper understanding of the various requirements. Be proactive, aware and sensitive. While sending or receiving information electronically, (particularly emailed PHI), use encryption, whether symmetrical or asymmetrical. If or when PHI is accessed, implement various authentication procedures and utilize unique user passwords. In doing so, it is possible to protect a wealth of PHI and comply with HIPAA HITECH Amendment requirements as well.
*Copr. 2013 Encryptomatic LLC.
Duplication of this article without permission is prohibited.
© 2005, Encryptomatic LLC. Audubon, MN USA.