Page 20 - Part 2 Navigating Electronic Media in a Healthcare Setting
P. 20
SVMIC Navigating Electronic Media in a Healthcare Setting
appropriate safeguard for a covered entity, the covered entity must
implement a mechanism to encrypt and decrypt ePHI.
In addition to maintaining all patients’ records in a secure, properly
encrypted fashion on the recording device, all HIPAA-compliant
apps and devices must be able to transfer any patients’ records
they contain via a secure method such as Secure Sockets Layer
(“SSL” or “https://”). Standard email or even file transfer protocols
such as “FTP” are not generally secure and, therefore, any transfer
of patient information, records or media via these methods is not
HIPAA compliant and, thus, unacceptable. The app should be able
to upload records to the cloud or your EHR using secure,
encrypted channels.
Business continuity and disaster recovery are certainly important
in any operation but, surprisingly, are some of the more commonly
overlooked elements of HIPAA’s security requirements. Any device
or app should include an integrated failsafe backup to secure
offsite storage such as in the cloud. Not only does HIPAA require
this backup to be encrypted using AES-256, should a third party be
responsible for this backup, you must also have a formal Business
Associate Agreement with the vendor where the secure backups
are stored. This means solutions such as Dropbox or Google Docs
are unacceptable and do not meet HIPAA’s requirements, as these
vendors will not sign an independent BA agreement with a
practice for anything stored on their servers.
One of the most common ways confidential patient records can be
exposed is the possibility that your device is lost or stolen. When
looking at any patient record solution, it is critical that you are able
to change your device and app password remotely, should you no
longer have physical possession of the device. As with a credit
Page | 20
