2013 State of HIPAA Encryption & Authentication for Healthcare

Posted 4.15.13 by

According to the Healthcare Information Security Today report, 2013 Outlook: Survey Offers Update on Safeguarding Patient Information, most healthcare organizations believe that encryption would greatly improve their data security. Forty-one percent plan to encrypt all mobile devices and removable media, while 35 percent plan to encrypt all end-user devices.

2013 HIPAA Encryption

Currently, nearly 60 percent encrypt mobile devices, and only 45 percent encrypt servers or databases. For guidance on encryption to meet HIPAA compliance, the latest Office for Civil Rights (OCR) Audit Protocol provides a description of the actual HIPAA Security Rule standard:

§164.312(a)(1): Access Control
§164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.

The auditor’s actual procedures for determining if an organization has met the standard or not includes (straight from the OCR):

  • Inquire of management as to whether an encryption mechanism is in place to protect ePHI.
  • Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI.
  • Based on the complexity of the entity, elements to consider include but are not limited to: type(s) of encryption used; how encryption keys are protected; access to modify or create keys is restricted to appropriate personnel; and how keys are managed.

If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.

So although encryption is addressable, it is considered best practice to encrypt protected health information (PHI), especially since breaches of unencrypted data must be reported to the Dept. of Health and Human Services and released to the public.

When it comes to authentication in order to gain access to electronic health records, the most popular type includes just a username and password (89 percent). Twenty-one percent require a digital certificate (SSL certificate), and only 16 percent require two-factor authentication.

2013 HIPAA Authentication Trends

Ideally, two-factor should be used for access to ePHI – although not required, it is also considered a best practice to meet HIPAA:

§164.312(d): Technical Safeguards – Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

In addition to authentication, the survey reports that only 27 percent of healthcare organizations offer patients access to their personal health records via a web portal. While 35 percent are working on it and will have one available soon, 28 percent responded that concerns about security issues have led them to delay a portal until they’re able to resolve said issues.

2013 Patient Portals

Have questions about patient portal security and privacy with regards to HIPAA? Join our free webinar tomorrow at 2 P.M. ET and submit your questions in advance. Attorney Brian Balow of Dickinson Wright will lead the discussion on security challenges and how to minimize risk while successfully deploying an electronic patient portal. Sign up online for Security and Privacy Concerns with Patient Portals.

HIPAA White PaperFind out more about the technical, physical and administrative security requirements of HIPAA compliance in our HIPAA Compliant Hosting white paper.

Healthcare Information Security Today – 2013 Outlook: Survey Offers Update on Safeguarding Patient Information (PDF)

Related Articles:
Encrypting Data to Meet HIPAA Compliance
Overcoming Healthcare CIO Challenges with Secure & Scalable HIPAA Hosting
Two-Factor Authentication Helps Fight Unauthorized Access

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!

  • This field is for validation purposes and should be left unchanged.