Would you ever buy an SUV without locks? Or leave the keys in the ignition while you’re grocery shopping?

Would you be happy to deposit your hard earned money in a bank, with no security protocol, so that anybody can walk in and get away with all the money stored inside? The likely answer to all three questions is no.

Why do we have such checks in place?

They’re there to prevent the Jesse James’ and John Dillingers’ of modern times from trying to steal what isn’t theirs. Your practice is the bank, personal health information (PHI) is the deposits, and data encryption is what must be done to ensure that the deposits are safe.

Organized criminal groups are aware of the potential value of PHIs, which include your patient’s insurance information, social security and credit card numbers. That is why they are devising more and more ways to access this information.

However, recent data on PHI theft suggests that most breaches are not caused because of someone hacking into practices but because of physician or practice negligence.

The scenario generally arises when someone at a practice copies EMR date on a portable device (usually not encrypted), intending to work from home and then the device gets stolen.

Or in certain cases, data stored on an on premise-server or an in-house computer with the decryption key saved on the same computer can land up into wrong hands.

“Someone could find that key and use it to decrypt information,” says Podgurski, a computer science professor at Case Western Reserve University who coauthored the study “E-Health Hazards: Provider Liability and Electronic Health Record Systems”

Yet in spite of these risks, a late 2011 HIMSS survey of 329 healthcare organizations revealed only 44 percent of respondents encrypt their mobile devices. Only 29 percent said that all of their data on laptops is encrypted, while 42 percent said none of their desktop data is encrypted. About one out of four respondents (23 percent) said none of their e-mails is encrypted.

Such negligence on a practice’s part can be extremely harmful for the patients concerned and the financial system as a whole. Even for the practice such a breach not only causes reputational damages, but also makes you liable for heavy fines and penalties by the government.

Ready to take encryption and data protection seriously? Here’s how to beef up security and stay HIPAA compliant:

Encryption 101

Encryption is the conversion of data into a form, often called ciphertext, which cannot be understood by another party — man or machine — without being decrypted first. There are many types of encryption available that offer different levels of protection.

With public key encryption, all of your staff members with access to a specific key code will be able to decrypt the information. Additionally, the provider and everyone else with access of the key will be able to identify the recipient.

However, if you want the information to remain more exclusive and desire only specific users to access it, for example only physicians, physician assistants and nurses, you can choose private key encryption.

With encryption, even if someone has gained access to sensitive information stored at your practice, they cannot make sense of the information unless it has been decrypted using the respective keys. However, you will need an encryption specialist to implement such a system at your practice.

Dealing with portable devices

With checks present in most Electronic Medical Records (EMRs) systems, the breach of information usually takes place when someone from the practice copies the data onto portable USB devices, an e-mail attachment and other avenues that generally lack encryption. If such a device is misplaced or gets stolen, the level of vulnerability increases.

A possible solution for such problems is ensuring a central control of all portable medical devices possessing information regarding your practice. Using such a system, the encryption status of all these devices could be monitored in addition to acting as a medium for data safety verification (if any of the devices were stolen).

Another recommendation while handling portable devices is that of built-in remote wiping functionality. Using such a system, you would be able to erase all the content from the devices of specific users (if such a situation arose).

Sending E-mails

Regular E-mails should not be used as a medium to transfer PHIs, as many practices have been grilled for sending unencrypted e-mails with sensitive patient information. When interacting with patients or other parties, make sure that the mails are encrypted. Start using patient portals they are the safest mode of transferring PHI.

Monitoring Audit Trails

Audit trails in your EHR are not only a way of keeping track of a patient’s clinical encounter but also to monitor your staff’s behavior. You can view who has accessed a patient’s information at what time. Any abnormal activity can easily be detected and the concerned person be taken to task to ensure that your staff takes PHI safety seriously.

The best policy?

If you’re not sure on a certain security-related situation, contact your firewall or encryption vendor to help you readily solve the problem. Do not risk exposing yourself due to lack of information or understanding about a communication medium.

Also be aware that HIPAA security compliance is like a clinical encounter: If it’s not documented, then it didn’t happen. Therefore, document everything and make it part of a security manual.