Encrypt EHR — Else HIPAA Violations Need Be Reported To Government & Media

Ensure Patient Info is Encrypted to Be Exempt from Breach Regs

New regulations issued by the US Department of Health and Human Services (DHHS) require physicians and other individuals and entities covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information has been breached. A “breach” means the “acquisition, access, use or disclosure of protected health information in a manner not permitted . . . which comprises the security or privacy of the protected health information.” Depending upon the number of patients whose health information may have been breached, a medical practice may be required to notify the DHHS and the statewide media in addition to notifying patients.For example, if a physician maintains patient information in a laptop computer containing the unsecured information of more than 500 patients and the laptop is stolen, the physician would be required to notify not only the patients affected by the breach, but would likely need to also notify the DHHS and the media. A medical practice need not report a breach if the patient information has been properly encrypted – because information that is encrypted is not considered “unsecure.”

 
NYS Med Society strongly recommended that if a medical practice maintains or stores patient information in electronic form, the medical practice should consider encryption. The Breach Notification requirements are very onerous and encryption will enable a medical practice to avoid the Breach Notification Requirements.  The problem is most commercially available electronic medical records don’t yet offer encryption as an option!!!
 
For more information click here.
Leave A Comment