HIPAA Safe Harbor for Computer Systems

Imagine you walk back to your car and see glass all over the pavement. You quickly open the trunk to discover your laptop bag with a laptop inside has been stolen. Then reality hits, the laptop that you had contained the records of an undetermined amount of patients from your healthcare organization. You think to yourself, the laptop had a password on it, do I qualify for Safe Harbor?

The answer is: Maybe!

If the laptop utilized Full Disk Encryption (FDE) with a strong encryption key, then yes, you do qualify for Safe Harbor. If the system was just password protected and did not utilize any type of encryption, then your organization will not qualify for Safe Harbor and will have to file a breach notification with the Federal Government as well as notify all affected clients that a breach has occurred and their ePHI was potentially exposed.

What is a HIPAA Safe Harbor?

The Safe Harbor method of anonymization and de-identification under the HIPAA Privacy Rule eliminates 18 patient identifiers in healthcare data. These identifiers are also known as protected health information (PHI). The Safe Harbor rule is defined in 45 CFR 164.514b(2) by the US Department of Health and Human Services. It is the hope that by manipulating or eliminating PHI in compliance with the Safe Harbor rule that the patient’s identity cannot be traced back to an original data set.

Using Encryption to Qualify for Safe Harbor

By utilizing FDE any ePHI or potential ePHI stored on a computer system would be unreadable without the password to decrypt it. Due to the data being unreadable if the unit is lost or stolen the organization would comply with Safe Harbor and would not need to file breach notification with the federal government.

In order to qualify for Safe Harbor, it is important to do the following:

  1. Encrypt the whole hard disk not just part of it.
  1. Require the use of strong passwords and periodic changing of password.
  1. The system must be configured to require the user to enter a password/pin after a reboot or when the system resumes after a suspension or after a period of inactivity, such that if the laptop is lost or stolen, there is no practical way a user without possession of the username/password/pin could gain access to the PHI on the laptop. The laptop must always require the user to authenticate them.  Otherwise, it leaves open the possibility that an unauthorized user could gain access to the laptop and the PHI it contains.
  1. The policies and procedures should require the PC user to suspend or shutdown the laptop any time it is not in their physical possession.  For example, if they are using it in some public area and walk outside to take a break, they should suspend their PC such that no one else could take the laptop and immediately start accessing the PHI on it.
  1. Don’t forget that in the HIPAA world, if it isn’t documented, it didn’t happen. Be sure to create the necessary documentation stating the systems that contain FDE, the strength of the FDE encryption key, as well as organizational policies around FDE.

Recently, a larger radiation oncology practice settled with the Federal Government for $750,000 after an unencrypted flash drive was stolen out of an employee’s car. More can be read about the settlement on powersolution.com’s blog post: $750,000 HIPAA settlement emphasizes the importance of risk analysis

Depending on the systems your organization uses, implementing FDE might not incur any further expense and may actually save the organization a significantly large amount of money if a breach does occur.

IT services for medical professionals to ensure HIPAA compliance

Considering how much weight your computer network carries when it comes to modern medical practice office, you must turn to trusted IT advisors when it comes to making your practice HIPAA/HITECH compliant.

  • Physical and virtual safeguards for ePHI.
  • Technical Safeguards
  • Tracking/Audit Logs
  • Strict Technical Policies
  • Security of Network and Transmission
Give us a call now at (855) 551-7760 – your Computer Network will thank you!

If you are located in New Jersey or NJ NY area, and are looking for Managed IT services and Computer Support for your Medical Practice — you may have searched the internet for Doctors IT Support, Medical office IT support, Healthcare IT support, IT support for Medical practices, Outsourced IT Support, Healthcare IT support, and Medical Practice Startup — look no further: we are here to provide your medical practice with reliable IT Support.

How is your state of IT? Call Us: (855) 551-7760 with any questions.