Encryption: Protect your patients and your practice

Encryption is one of the simplest and most effective steps an optometrist can take to protect electronic patient information, according to Michael Stokes, J.D., AOA General Counsel.

"All ODs have to do is enable the encryption feature on their EHRs and digital devices."

"Unfortunately, it is often underutilized," Stokes said.

Many health care practitioners fail to encrypt patient information stored on CDs, laptop computers or other digital devices such as tablets, Stokes said. But, these devices pose the greatest risk for the loss or theft of patient information.

Using passwords and user identification is not enough. To meet federal Health Insurance Portability and Accountability Act standards and protect patient information, encryption is crucial.

What is encryption?

Encryption is the process of specially encoding messages or information to make it unreadable to people who should not have access.

Most computers and many other devices that store data have built-in encryption systems. And virtually all electronic health records (EHR) systems offer encryption. In most cases, users just need to activate the encryption program. Generally that involves simply pressing a button or selecting the encryption option on a program menu.

Once encryption is activated, information stored on the device is effectively protected should the device be lost or stolen, Stokes said. In addition, information transferred to a CD or other storage medium will be rendered unreadable to unintended viewers.

Why passwords are not enough

Using passwords and user identification on electronic devices is not sufficient to meet HIPAA standards, Stokes emphasized. Many information thieves can easily find their way past password and ID protection.

Under law, health care practitioners who fail to secure patient information must report privacy breaches to affected parties, government officials, and, in some cases, the media. They may also be subject to substantial fines and civil liability.

Fortunately, most optometrists already have the technology to prevent such breaches and meet HIPAA standards.

"All optometrists have to do is enable the encryption feature on their EHRs and digital devices," Stokes said. "Then, even if they lose a laptop or get hacked, the potential loss of encrypted data is not considered a 'breach,' and there is no public reporting, no federal penalties, no public embarrassment, and probably no civil liability. Problem solved."

To help guide optometrists, the AOA also provides online HIPAA compliance resources.

September 12, 2013

comments powered by Disqus