HIPAA and Encryption

A Digicorp Perspective

 Like it or not, if you handle Protected Health Information (PHI), your burden continues to increase. 

In an article from SC Magazine, Sang Lee summarizes the HIPAA encryption concern as follows:

  1. “As long as PHI is not encrypted, it is unsecured.” He basis this statement on Health and Human Services published guidelines. We have known about the HHS position for years. But, it is the combination of time and scrutiny that has changed our perspective on assigning a risk premium to this issue. Dating back to the release of the original guidelines, it was understood that PHI data in motion required encryption. But data at rest was largely ignored. The bottom line is simply that unencrypted data at rest is considered “unsecured.” And this is a risk which is amplified because of item 2.
  2. HITECH’s Breach Notification, a component of the updated HIPAA laws, puts onerous notification burdens on any HIPAA covered entity that encounters a data breach. Here’s the problem – notification proceedings can cost hundreds of thousands of dollars to millions of dollars when considering the legal and notification costs. Unencrypted data – in motion, on a SAN/server or on a back-up system is at risk of a breach.

In our opinion, it simply isn’t good enough to encrypt and secure data in transit. HIPAA exposed entities should take the precautionary steps of encrypting server and back-up data. With today’s technology, we can achieve this objective with proper system selection and implementation. Further, although encrypting PHI increases the costs of back-up and storage, it is a relatively small and incremental cost increase versus the cost of non-encrypted server and back-up PHI data.

If you are concerned about your data’s security, speak with Michael Diemer at Digicorp. (1-262-402-6150) He can work with Digicorp engineers to assess your risks and then build cost effective solutions to minimize your exposures.