When the HITECH Act was enacted in 2009, it introduced to HIPAA a fun concept called “breach notification.” In effect, that means that when a security “breach” happens — such as a laptop with health records on it being stolen or lost — the affected clients need to be notified as does the federal government. If breach notification is your bag, you can read all about HIPAA’s breach notification rule in our article here.
Laptops and other mobile devices get stolen or lost rather frequently. However, there are great ways to secure these devices so that even if they are stolen, the bad guy can’t reasonably get in. Given that fact, shouldn’t there be some exception to the breach notification rule if the lost computer or smartphone is really well secured?
As you probably guessed, there is such an exception in the breach notification rule. That kind of exception is called a “safe harbor.” This safe harbor applies to more than just computers, of course. And, quite importantly, it only affects breach notification. That’s a pretty big deal, however. If your computer is secured to the safe harbor’s standards, and you lose it or it gets stolen, not having to report that breach to anyone can be a real life saver!
Sounds great! How do I get the safe harbor conditions on my computer or phone?
The safe harbor is attained by making all the health information on the computer or smartphone totally unreadable — and that means encryption.
We can’t just use any encryption, however. Legal safe harbor standards in general are an “A+” level of standard.
Enter “full device encryption.” Accept no substitutes and don’t settle for anything less. This means that every little bit and byte on your computer or phone is encrypted and only your one special encryption password can unlock it all, regardless of what any bad guy does to try to get in.
So how do I get full device encryption on my stuff? How much is this going to cost me??
It could very well be free!
If you have a Mac whose operating system isn’t several years old, you can get full disk encryption simply by going to your security settings and activating FileVault2.
For Windows, there is also an encryption program called Bitlocker. You can’t buy BitLocker separately. It only comes with the Pro version of Windows. In our experience, most therapists need to upgrade their Windows to the Pro version in order to get BitLocker.
On an iPhone, you simply need to set a strong passcode. That’ll do it. On Android phones, you need to turn on encryption in the security settings. And, of course, you need to set a strong passcode. Encryption on smartphones requires a little more thought and preparation than on computers, but it still works well. If you’re not sure about it’s effectiveness, see our article on why FBI vs. Apple was important for health care providers all over the US.
So you said that cheap or free software is the “good news.” Is there bad news?
The semi-bad news is that setting up full disk encryption is sometimes something you want skilled help with. If you’ve got a good tech helper, ask them to set it up with you. Or you can go to a professional geek or your local Apple store for assistance.
Also, the downside of full disk encryption is that it might be harder to share your computer with others. Remember that unlocking the whole machine will require your password every time you turn on the computer. You can certainly work around this, but it will require planning.
So that’s it? I just install the software and I get the safe harbor?
It’s almost that simple. Of all the techie things you can do to protect your clients’ information, full-disk encryption is probably the easiest and least expensive way to simplify your security efforts. You do still need to behave in ways that support the encryption, though. For example, the encryption is unlocked while you’re using your devices. You need to lock it up again in order to qualify for the safe harbor.
Those details are a little outside the scope of this article. We discuss them a lot in our courses and in our weekly Office Hours, however.
We have developed a 1-hour CE course, as well as a number of walkthrough videos, to make it as easy as possible for therapists to achieve the easiest and most effective security methods they can for their computers and smartphones. Guidance on using full-disk encryption, plus walkthrough videos that explicitly show you how to set it up on your computer, are included in the course. The course is called HIPAA Investigation Repellent: Easy Ways to Prevent Most Security Breaches.
However you find your way to getting your gear qualified for the safe harbor in HIPAA’s breach notification rule, we strongly encourage you to do it. If all of us start using encryption in this simple and easy way, our clients and our society will be much safer.