Time to settle some misconceptions about HIPAA and the privacy of your information. I get this question all the time, and it goes something to the effect of “Isn’t my private medical information protected?” The answer is simple: sort of.
By “sort of” I mean this. There are NO REQUIREMENTS that medical data be encrypted. The only thing close to that requirement is the suggestion of encryption where it is “reasonable and appropriate” to do so. HIPAA and the HITECH Acts only provide GUIDELINES for security practices. That’s it.
Now, I am not arguing that you should not implement encryption. As a matter of fact, I STRONGLY ENCOURAGE clients to use available technology to encrypt servers and workstations. Just remember though, when security is increased – convenience is decreased. By encrypting your servers and/or workstations, you are going to disrupt the normal workflow.
when security is increased – convenience is decreased
After working with medical providers of varying sizes, I can assure you that your medical records are NOT as safe as you might think.
Encrypting data isn’t going to stop someone from viewing that same data when it is sitting on a FAX MACHINE unattended and waiting to be picked up. Encrypting data isn’t going to stop someone from viewing that data while it sits on the common office printing machine or copier – that typically does not even have a method to wipe the hard drive after the lease is up.
I also get asked a lot about “cloud storage” of data. Is it safe? Again – storing your data in the cloud, which really just means using a 3rd party service accessible by the internet, is relatively safe. If your backup service encrypts the data client-side (on your computer) BEFORE sending it to “the cloud” AND uses good encryption methods, then it’s absolutely safe. However, if you send data unencrypted, even if you use SSL to transmit, then you run a greater risk. Arguably, you run no greater risk than the unecrypted data that is accessible from exploitable Windows workstations in a hospital or doctor’s office. Think of the Sony problems. Think of the Target problems.
The real issue with cloud storage or backup providers is liability. To be covered and safe, you want to look for a company that will enter into a Business Associate Agreement. All that agreement guarantees is that the company follows the “standards” required by HIPAA, which really aren’t much. However, due to the litigious nature of everything these days, not many companies are willing to do this yet. Google Apps (paid service – not Gmail), Carbonite and Microsoft will – but Dropbox currently does not.
Remember: Security is a relative term.