Would you ever buy an SUV without locks? Or leave the keys in the ignition while you are grocery shopping?

Would you be happy to deposit your hard-earned money in a bank, with no security protocol, so that anybody can walk in and get away with all the money stored inside?  The likely answer to all three questions is no.

Why do we have such checks in place?

They’re there to prevent the Jesse James and John Dillingers of modern times from trying to steal what isn’t theirs. Your practice is the bank, personal health information (PHI) is the deposits, and data encryption is what must be done to ensure that the deposits are safe.

Organized criminal groups are aware of the potential value of PHI, which includes your patient’s insurance information, social security, and credit card numbers. That is why they are devising more and more ways to access this information.

However, recent data on PHI theft suggests that most breaches are not caused by someone hacking into practices but by physician or practice negligence.

The scenario generally arises when someone at a practice copies EMR data on a portable device (usually not encrypted), intending to work from home and then the device gets stolen.

Or in certain cases, data stored on an on premise-server or an in-house computer, with the decryption key saved on the same computer, can land up into the wrong hands.

“Someone could find that key and use it to decrypt information,” says Podgurski, a computer science professor at Case Western Reserve University, who co-authored the study “E-Health Hazards: Provider Liability and Electronic Health Record Systems”

Yet in spite of these risks, a late 2011 HIMSS survey of 329 healthcare organizations revealed that only 44 percent of respondents encrypt their mobile devices. Only 29 percent said that all of the data on their laptops is encrypted, while 42 percent said none of their desktop data is encrypted. About one out of four respondents (23 percent) said that none of their e-mails are encrypted.

Such negligence on a practice’s part can be potentially harmful for the patients concerned, and. for practice, such a breach not only harms its reputation but also exposes it to heavy liability fines and penalties by the government.

Ready to take encryption and data protection seriously? Here’s how you can beef up your security and stay HIPAA compliant:

Encryption 101

Encryption is the conversion of data into a form, often called ciphertext, which cannot be understood by another party, man or machine, without being decrypted first. There are many types of encryption available that offer different levels of protection.

With public-key encryption, all of your staff members with access to a specific key code will be able to decrypt the information. Additionally, the provider and everyone else with access to the key will be able to identify the recipient.

However, if you want the information to remain more exclusive and desire only specific users to access it, for example only physicians, physician assistants and nurses, you can choose private key encryption.

With encryption, even if someone has gained access to sensitive information stored at your practice, they cannot make sense of the information unless it has been decrypted using the respective keys. However, you will need an encryption specialist to implement such a system at your practice.

Dealing with portable devices

With checks present in most Electronic Medical Records (EMRs) systems, the breach of information usually takes place when someone from the practice copies the data onto a portable USB device, an e-mail attachment or any other such medium that generally lacks encryption. If such a device is misplaced or gets stolen, the level of vulnerability increases.

A possible solution for such problems is ensuring a central control system for all portable medical devices, that possess information regarding your practice. Using such a system, the encryption status of all these devices could be monitored in addition to acting as a medium for data safety verification (if any of the devices were stolen).

Another recommendation while handling portable devices is that of a built-in remote wiping functionality. Using such a system, you would be able to erase all the content from the devices of specific users (if such a situation arose).

Sending E-mails

Regular E-mails should not be used as a medium to transfer PHI, as many practices have been grilled for sending unencrypted e-mails with sensitive patient information. When interacting with patients or other parties, make sure that the mails are encrypted. Start using patient portals they are the safest mode of transferring PHI.

Monitoring Audit Trails

Audit trails in your EHR are not only a way of keeping track of a patient’s clinical encounter, but also to monitor your staff’s behavior. You can view who has accessed a patient’s information at what time. Any abnormal activity can easily be detected and the concerned person be taken to task to ensure that your staff takes PHI safety seriously.

The best policy?

If you’re not sure about a certain security-related situation, contact your firewall or encryption vendor to help you readily solve the problem. Do not risk exposing yourself due to lack of information or understanding about a communication medium.

Also be aware that HIPAA security compliance is like a clinical encounter: If it’s not documented, then it didn’t happen. Therefore, document everything and make it part of a security manual.