Health IT and Electronic Health Activate your FREE membership today |  Log-in
5 pts.
 HIPAA Question
With the New Laws on HIPAA and Security, does everything need to be encrypted at a Spacific level 128K 256K 1024K? What would be the best practice. Now on Text Messages, How and what is the best practice for any Text messages for encryption, If possable?  

Software/Hardware used:
Sophos
ASKED: September 2, 2011  4:44 PM
UPDATED: September 14, 2011  3:38 pm

Answer Wiki:
First of all, when discussing HIPAA and encryption, it's important to specify if you mean encryption of data in transit (such as data being sent over exchanges, networks, email, text messages, etc.) or data at rest (such as electronic health records stored in a database). The HIPAA Security Rule makes encryption "addressable" meaning it is not required but still may be expected or needed depending on the results of the organization's risk assessment. In practice, encryption in transit is pervasive in health information exchanges and transmissions over networks, but there appear to be plenty of health care providers that send PHI in email without encrypting it. The Direct initiative requires encryption for point-to-point exchanges of PHI between two providers or other entities, but communications between, for example, a doctor's office and a patient are not required to use encryption, so many don't. Secure network communications using technologies like SSL or TLS can use a variety of different algorithms and key lengths, although 128 has been called into question now, and federal agencies at least are required to move to at least 256. With respect to EHR systems, the meaningful use standards and certification criteria require systems to be able to employ encryption meeting FIPS 140-2 standards (which set the minimum security for cryptography for government agency use). The health data breach disclosure rules that went into effect in 2009 also offer an exemption if data is encrypted, and HHS more or less mandated FIPS 140-2 level encryption to meet that requirement. As for text messages, whether or not encryption is used really boils down to the electronic service provider that handles the text messaging. In general, SMS text messages are not encrypted, to my knowledge not by any major provider. There are third-party software solutions available to provide secure text messaging, but practically speaking you would need a private messaging service to deploy such capabilities, and your secure communication would be limited to senders and receivers that have the appropriate devices and technology.
Last Wiki Answer Submitted:  September 14, 2011  3:38 pm  by  SteveGonHIT   250 pts.
All Answer Wiki Contributors:  SteveGonHIT   250 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: