Data Encryption: Avoid HIPAA Breaches

Data encryption is the most powerful tool your healthcare practice could use to avoid a HIPAA breach.

Smart Training’s Certified HIPAA Professional, Jim Moore, said, “In the case of a theft or hack, data encryption is the only get-out-of-jail-free card you’ve got.”

HIPAA requires covered entities to safeguard protected health information (PHI). And since many healthcare practices have started to use technology to share PHI, data encryption is essential to avoid HIPAA breaches. HIPAA breaches are extremely costly for practices. 

What is data encryption?

Data encryption translates data into another form or code. If the data is encrypted, it is not readable, and criminals can’t access the data. The criminal would need the decryption key, or password, to decrypt the data.  If the data is encrypted, any stolen device or hack would not be a HIPAA breach. 

When healthcare practices leave data unencrypted, any hacker or criminal has easy access to the data. This leads to HIPAA breaches. For example, let’s suppose your healthcare employee uses a laptop for work. If your employee leaves the laptop in their car, and a criminal steals it, the criminal can access any PHI stored. This incident would lead to your practice being fined for a HIPAA breach.

Similarly, if healthcare practices email unencrypted data, any phishing attack or cyberattack leaves your practice at risk for a HIPAA breach. Your PHI is vulnerable if it isn’t encrypted.

But if your practice had encrypted the PHI, both of these situations wouldn’t be a HIPAA breach. Data encryptions helps your practice avoid HIPAA breaches.

Does data encryption protect practices from HIPAA fines?

“Even if a practice has their server stored in a locked room, if a criminal does break in and steal the device, it’s a HIPAA breach,” Jim Moore told me. “If the device were encrypted, it wouldn’t be a HIPAA violation.”

Let’s look at some case studies that prove the importance of data encryption:

• Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center
• 52,076 Patient Records Stored on Stolen Valley Hope Association Laptop

Is data encryption optional under HIPAA law?

Under the  HIPAA Security Rule, data encryption is a technical safeguard. Data encryption is considered an addressable specification, not required. Are addressable specifications optional? Not necessarily. Addressable specifications do allow for flexibility, though. But to be protected from a HIPAA fine, your practice needs to prove it demonstrated good faith efforts to secure your data.

“We really need a consultation with practices to assess their situations,” Jim Moore said. “Is their server stored under the front desk? That’s no good. But if they have a camera or an alarm system, that’s better.”

Jim Moore told me, “Either way, if an unencrypted device gets stolen, it’s a HIPAA breach.” But installing more efforts to protect your patient data leads to lower fines. The more negligent you are, the higher the HIPAA fine you face. All in all, you should schedule a consultation with a HIPAA Professional to assess your situation.

HIPAA Journal writes, “If organizations fail to implement encryption, they have to document the reasons why.”

How do I encrypt my data?

Who should you turn to for data encryption? The answer is complicated.  “A lot of practices go to an IT Provider for data encryption,” Jim Moore told me. “Many times, IT Providers will tell Practice Owners they are encrypting the practice’s data, but really, they’re only password-protecting it. Password-protecting and encryption aren’t the same, and password-protection is not adequate under HIPAA law.”

Ideally, a practice would have its own IT Specialist to ensure the data is encrypted. But if a Dentist tries to be their own IT Specialist, they often have no idea what they’re doing. Technology is complicated, but cybercriminals are skilled. 

“It’s hard, because a Dentist will think they have their data encrypted,” Jim said. “The only way they find out it’s not is if the device is stolen, and if it is, they’re already facing a HIPAA fine.”

Don’t forget about Business Associate Agreements!

If you decide to trust an IT Provider with your patient data, make sure you have them sign a Business Associate Agreement. I know we are always badgering you about Business Associate Agreements, but they are essential.

HIPAA requires you to have signed Business Associate Agreements if you trust business associates with your patient data. If your practice suffers a data breach because of the business associate, and you don’t have a signed document, your practice is at fault for the HIPAA breach.

Here are case studies about HIPAA fines that were issued due to a lack of a Business Associate Agreements:

• Lack of Business Associate Agreement leads to $750,000 HIPAA fine
• No Business Associate Agreement? $31K Mistake

“A lot of IT Providers won’t want to sign a Business Associate Agreement,” Jim told me. “They don’t want to be liable if there is a breach.” Your best bet is to find an IT Provider that will sign the document.

Are there other data encryption options?

If you don’t want an IT Provider’s help, you can also find an app, like Bitlocker  or  Henry Schein. You will want Business Associate Agreements with these companies as well. Jim said, “You need to have a Business Associate Agreement if they have access to your data.”

What’s the best way to make sure my practice is HIPAA compliant?

Best practice: consult with a Certified HIPAA Professional. Jim Moore can assess your office’s HIPAA compliance. He can create remediation strategies to protect your practice against HIPAA fines.

All our compliance solution packages – Platinum+, Essentials, and  Complete Compliance Solution – offer online HIPAA training, HIPAA Policies and Procedures, and patient documents.

Interested in learning more? Schedule a demonstration with one of our Compliance Advisers.