Home Forums Discussions General Discussion Hipaa/cloud

Does anyone know what the hipaa implications would be for an individual practice if the AC servers that housed patient info were breached? my understanding is that as long as the information is encrypted, which it would be in the cloud(presumably), then the breach reporting law does not apply.

I would imagine that AC would be responsible, but I can't imagine not having to report simply because it was encrypted. There are so many more things that are involved in security breaches. It could simply be someone on the inside that has an encryption key.

The more probable thing to happen is that someone gets a keylogger on your side of the cloud (on your desktop). Then it doesn't matter what encryption protocols they have in place. With your password, they can access any information. Of course their access will be logged, but they will likely succeed. That could happen even if you're not on cloud though. Many providers make the mistake thinking cloud erases all security concerns. Be careful as most of the same security concerns are present in both situations. You can never be too careful.

We just had a security risk assessment for EHR incentive. The consultant from the University of Texas Health Science Center told us if that data is encrypted, you do not have to report a breach. I also just watched a webinar by the Texas Medical Association that said the same thing.

I think it's important to understand what is encrypted.

Why would you not want to report a breach.

The law states that if there is an unsecured breach that involves more than 500 patients that you not only need to notify them but you also need to notify the MEDIA. That doesn't sound too good for business.

I'm honestly not too savvy on this security rule. We don't have encrypted hard drives but are thinking about it. I just remember that's what the consultants told us. I guess you wouldn't want to report a breach b/c of the hassle.

Drive encryption will protect you against things like physical theft. But it will not protect you against network threats (most common). You will have a slight performance hit as well.

I have a few questions about HIPAA Security rule coming into effect Sep 23, 2013.

I'm running Amazing charts 6.3.3 in a Windows 7 Professional 64 bit Peer to peer environment. 7 computers, one of which is the "main" computer which has the Amazing Charts folder and data. One provider.

per the new regulation, it appears that the folder which has the amazing charts database and imported items needs to be encrypted. ( I already have my backups, including remote backups, encrypted.)

Does anybody know if Amazing Charts has any official guidance on this?

What suggestion do you have for the easiest way to satisfy the new regulation?

I am concerned that some encryption methods could slow down down the system. Also if the method is too robust I worry about data loss.

Best way is built-in BitLocker encryption which is transparent to Amazing Charts. Available on Server 2008/2008R2/2011/2012/etc. and Windows 7 ULTIMATE (not Pro), Windows 8 Pro, Win Vista Ultimate (Not Business), and the Enterprise versions.

Try to use a TPM module if possible. It's pretty light on resources too. They finally added it to the pro versions of the latest Windows iteration (Windows 8).

Bear in mind, that drive encryption only protects against physical theft.

I have been looking at this same issue regarding encryption.

Since I don't have BitLocker, I have been looking at TrueCrypt. Should I encrypt just critical files or entire disk? Any feedback on TrueCrypt?

What is a TPM module?

Windows 8 Pro comes with Bitlocker so you don't have to pop the extra coin for Enterprise or Ultimate.

You may want to hold off until your next upgrade, if you can.

JamesNT