A few weeks ago, Seth Krieger, President of SOS and our own HIPAA Privacy Officer, was asked a question about encryption and backups. Since we are regularly faced with behavioral health organization customers who have no backups and many others who have questions about HIPAA, I thought you might be interested in this brief Q & A.
Question: “Does HIPAA require local backups to also be encrypted?”
There are no HIPAA rules that explicitly require encryption anywhere, but there certainly are severe penalties for failure to secure data, and a provision for a safe harbor if the data is encrypted. That is, if media containing protected health information (PHI) should be stolen, you are in a world of hurt. There can be fines; required publication of the breach in the local newspaper (if the breach includes over 500 patients); mitigation of potential identity theft by purchasing identity theft protection policies for all patients; impact on your reputation in the community; potential civil suits and criminal prosecution; etc.
On the other hand, if the data you lose is encrypted, HHS does not regard it as a breach. The rule explicitly states that the loss of encrypted data does not constitute a breach, so you are not required to report it, or to notify your patients in any form.
That, friends, is a giant carrot, dipped in chocolate!
Let’s review: If I don’t encrypt all my media containing PHI (including the hard drives in my computers, flash drives, and backups), I could face major, major losses, starting with some pretty severe fines but potentially so damaging that the practice might not survive. Alternatively, I could follow some easy encryption steps and be the proud owner of a cloak of invulnerability (where data breaches are concerned). Tough choice, huh?
Because backup media are, or should be rotated to an off-site location, they could be lost or stolen much more easily than media inside of servers and REALLY should be very high on the encryption list. The easiest way to go is just to use backup software that provides an encryption option. Most every commercial backup software has such an option. All you have to do is to check the box and type in a password. In most every case, that choice becomes part of the configuration and will be automatic for every future backup you do with that software and backup configuration. Easy!
That is not to say that a stationary drive need not be encrypted — it absolutely does. The low hanging fruit here, however, is any media that travels. Every phone, laptop, tablet and flash drive should be encrypted if there is any chance at all that it could contain PHI. Think in terms of patient telephone lists, letters, reports, acknowledgements to referral sources, practice management software, etc. Electronic Medical Records are not the only place you might have PHI that you are required to keep secure and private.
For more thoughts and advice regarding encryption, please see this earlier post:
Here are some others on related subjects:
Please share how you have used encryption to secure your cloak of invulnerability!