The Health Insurance Portability and Accountability Act is famous for its role in revolutionising the data security landscape in the United States. Although must focus has been placed on digital or electronic forms of protected health information (PHI), it is important to note that physical objects, such as hard drives, paper documents, CDs, and even cassette tape are all covered by HIPAA’s Rules.
HIPAA and Encryption
Encryption is often cited as one of the best methods of protecting electronic data. Encryption renders ePHI unreadable and undecipherable unless the user has a specific key or code to decrypt the data. If a portable device containing encrypted ePHI is stolen, and the code or key to decrypt the data is not also obtained, the data cannot be viewed. Encryption even protects data in cases when hackers gain access to patient data through phishing campaigns. The data is unreadable, and therefore the hacker cannot use it for nefarious purposes.
HIPAA’s text does not mention any specific technologies that covered entities (CEs) should use to protect data. This is done so that the legislation does not quickly become outdated as technology advances, as in the future there may be a technology that is even better than encryption at protecting data. However, the Security Rule does mention data encryption as an addressable specification. This means that CEs must consider using encryption, but it is not mandatory for ePHI to be encrypted at rest or in transit.
CEs should conduct a risk analysis to determine whether encryption is an appropriate safeguard for the PHI they hold.If the CE decides not to use encryption, and instead implement an alternative safeguard, they must prove that it is reasonable and appropriate and provides an equivalent level of protection. The CE should document the decision not to use encryption and the alternative safeguards that were used in its place.
CEs who decide to use encryption should use an appropriate encryption standard. The National Institute of Standards and Technology (NIST) recommends Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
HIPAA and Data Destruction
In addition to ensuring that CEs have adequate safeguards in place to protect data while they hold it, HIPAA has requirements for how CEs should securely destroy of data. For example, for physical paper files, CEs should use paper shredders with a ‘High Security’ rating. This rating means that the National Security Agency and the Department of Defence have approved the device and determined that the device renders paper documents into ‘unreconstructable’ shreds.
HIPAA CEs should carefully consider how to dispose of hard drives and disks. These pieces of hardware can contain millions of files of thousands of patients, and therefore pose a serious risk to the data security of a significant number of patients should the CE fail to dispose of them properly. NSA and DoD have guidelines on how to correctly dispose of hard disks, which involves degaussing and destroying them by physically bending and breaking the hard drive such that it cannot be reconstructed or the information cannot be read.
HIPAA allows CEs to either destroy their data in-house or outsource to a particular company that specialises in the destroying data in a HIPAA-compliant manner.