By Robert McDermott; President/CEO, iCoreConnectIn the late 1950s, a northern California newspaper published an article about oversized footprints discovered by loggers. Those big feet were the only proof needed for people to spread rumors quickly and for those to gain wildly unexpected popularity. 70 years later, Bigfoot’s mythology still looms large.
Encryption has taken on its own mythical reputation. It’s widely believed that encryption is the only tool needed for email to meet HIPAA compliance laws. That myth has spread as easily as rumors of the 7-foot-tall legend. Fortunately, it’s much easier to disprove the myth about encryption.
Encryption takes the Protected Health Information (PHI) you are trying to send electronically and scrambles it up so no one can steal it while it’s en route from your computer to another doctor. It then gets de-scrambled and arrives in its original state in the recipient’s inbox.
Unfortunately, many email providers are trying to convince doctors that encryption is all that’s needed to comply with the HIPAA Security Rule and its safeguards. Encryption is a critical part of compliance—emphasis on the word “part.” There are six parts (listed below) to the Security Rule; and all must be met. The federal government’s preferred guideline for compliance is built on the Direct protocol, which meets its standard for provider verification.
Authenticate Recipients Your secure email exchange should automatically verify that the doctor to whom you are sending ePHI is a registered provider.
Control Access Only authorized users should access the content of emails. Your secure email system should at least have automatic user log-off.
Transmit Securely This is the encryption part. The higher level of encryption, the more secure your ePHI. For example, if your secure email exchange has a 2048-bit encryption level, it will take quadrillions of years to hack that email using today’s technology.
Unaltered Records/Integrity All your patient information must be kept in such a way that it can’t be altered or lost. The smartest backup systems store your ePHI at multiple secure data centers—not your office, home or briefcase. Cloud-based backups keep your ePHI on secure servers located around the country. In the rare event that one location is compromised, the other back-up locations have you covered.
Audit Every Message You can be audited at any time, and anyone can submit a HIPAA complaint against your practice. If you get audited, you will be required to quickly produce a detailed trail of all emails containing ePHI.
Lock Away ePHI for 6 Years Your records need to be securely stored for a minimum of six years in a way that information can’t be altered or lost.
Take the mystery and myth out of HIPAA compliance by understanding the full scope of what’s required. Being compliant is much, much easier than finding Bigfoot!