The HIPAA Security Rule, references secure transmission and the use of encryption. Although the Rule does not require the use of encryption, it's included as an "addressable" implementation specification. In other words, a healthcare organization covered under HIPAA has three choices: implement the specification as it appears in the Rule, implement an alternative that is equivalent to the specification or document why the specification is not applicable and therefore is not implemented.
Given the availability and affordability of encryption technology today, it is difficult for a healthcare organization to justify not using some form of it when transmitting PHI. A number of vendors offer a variety of reasonably priced encryption hardware and software, as well as outsourcing options. Now we'll review the options in more detail.
A number of vendors offer products that encrypt e-mail messages, are easy to use and provide the ability to send private data, including e-mail attachments, securely. The recipient can respond using the same encryption method. Many of these products are Web-based. They work by sending a link to the recipient, who then clicks on it and logs on to a secure e-mail server, which the organization either owns or outsources to an appropriate vendor. The recipient is then able to read the e-mail and any attachments securely, and send a secure response including attachments if needed.
There is also non-Web-based technology that allows transportation of secure messages from one person or organization to another, the most common of which is public key infrastructure (PKI). PKI requires an exchange of keys used to unlock the encrypted file. For example, Bob wants to send a secure e-mail to Sue, so he gives her a copy of his public key to open his encrypted message. Bob retains the private key he used to encrypt the message or file, which he can also use, especially with a digital signature, to authenticate himself as the sender. A digital signature is a small electronic file that is unique to each sender and specifically authenticates his or her identity. In many states, a digital signature can be used and is enforceable to the same extent as an original signature on a contract or other legal document.
There haven't been any large PKI deployments as of yet, mainly due to it being cumbersome, and the difficultly of administering and managing keys. However, PKI has been successful with small deployments and is frequently used for sending large files between organizations such as health plans and healthcare clearinghouses.
One method of secure data transmission often used in conjunction with PKI to encrypt and authenticate large data files, is secure file transfer protocol (FTP). However, it is not used for transmission between individuals. The technology is readily available and recommended for organizations transmitting large amounts of data, such as claims transactions and electronic remittance advices through clearinghouses.
Web site encryption
Some organizations transmit data between applications, such as an electronic health record. It is wise to view such transmissions, if the data travels outside an organization, as any message sent over the Internet, meaning it's subject to interception and, unless properly protected, misuse. When transmitting sensitive data between applications, it is sound and good security practice to evaluate the encryption capabilities of the application(s) and implement an encryption solution beforehand. An organization can obtain this technology from the vendor that manufactures the application or a custom-programmed product that accommodates application functionality while protecting the data as it travels from one point to another.
Remote user communication
Remote users present an additional security risk, because they are often communicating between their home and an organization. This means they not only need to be aware of secure data transmission requirements, but also other information security risks associated with remote access to confidential information. To secure communication with remote users, install a virtual private network (VPN), which encrypts all the data sent between its users. This technology is readily available on the market, and it is advisable that organizations with remote users install it. If a VPN is not established and a modem is not in use (which is generally not an efficient method of accessing a company network), all data transmitted over the Internet is subject to interception and inappropriate use.
Laptops and PDAs
These portable devices can be easily lost or stolen. Therefore, it is wise for organizations using these devices to transport confidential information to encrypt the data stored on those devices. This protects the organization against inappropriate data disclosure if the portable device is lost or stolen. Encryption programs are available for portable devices and the cost of such software is reasonable and affordable, even for smaller organizations.
Wireless threats are on the rise and unsecured wireless networks are significant points of vulnerability and open up organizations to easy hacker access. Therefore, it's becoming increasingly important, to prevent access by anyone not authorized to access the network. Also, encrypt all data transmitted between wireless devices to prevent inappropriate disclosure of confidential information. Laptops connected to wireless networks are becoming more common, especially in hospital emergency rooms where medical and health insurance information is collected. These laptops communicate with the organization's wireless server and update applications, health records, etc. This data is generally sensitive and needs the extra layer of protection that encryption provides.
About the author
Chris Apgar, CISSP, is president of Apgar & Associates, LLC and former HIPAA Compliance officer for Providence Health Plans in Oregon and SW Washington. He is a nationally recognized data security, privacy, transaction and code sets, regulatory and HIPAA expert. He is a member of the HIPAA Compliance Insider Advisory Board, the Security Compliance Insider Advisory Board, the URAC Privacy Advisory Committee, and chairs the Oregon and SW Washington Healthcare, Privacy & Security Forum and the Forum's Transaction & Code Set Workgroup. Mr. Apgar now operates an independent consulting firm specializing in security, privacy, HIPAA, global and detailed business process review, information systems project development, and lobbyist activity.
This was first published in January 2006