Encryption: Protect Your Patient Data
What is Encryption
Encryption: “The process of converting information or data into a code, especially to prevent unauthorized access.”
Encryption is a very important line of defense when it comes to protecting your patient data. Along with good physical security and following other security best practices, it will help protect both you and your patients by making it nearly impossible for someone to read data that they are not entitled to read, even if they are able to access it.
In practical terms, you will use a software application that seamlessly encrypts your data when at rest and decrypts it when the system is in use.
Why You Need It
Encrypting data is considered an “Addressable” implementation specification in the HIPAA Security Rule. This means that while encrypting data is not strictly required, it is required where “reasonable and appropriate”. Given the relative ease of encrypting data with modern technology, it is nearly always reasonable and appropriate to encrypt your data. If an entity chooses not to encrypt their data at rest or during transmission, they must have a solid reason, backed up by documentation, as to why they chose not to do so.
How to Use It
Encrypting "Data at Rest"
You can feel confident that ChiroTouch encrypts all your protected health information (PHI) that we store within our own system, and also PHI being sent from ChiroTouch to you, while in transit. However, ChiroTouch CANNOT encrypt your PHI information that resides on your own hard-drive(s). Protecting this information is your responsibility. Read the last section below for information on how to encrypt your at-rest data.
Encrypted Communication – Provider-to-Patient
The Certified version of ChiroTouch comes with the ability to encrypt online correspondence between provider and patient. Normally this certification is only done for clinics participating in the Quality Payment Program (QPP). However, this technology can be made available to any clinic wishing to have encrypted communications with their patients. You can request to obtain a certified version, and once you have it you can set up your patients to use the Patient Portal for secure messaging and document transfer:
If you choose this route you should give this instruction pamphlet to each patient you register. It explains how to send and receive messages through the portal, how to download attachments, and so on.
NOTE: If you are not participating in QPP, you can ignore most of the other features built into the Patients application beyond the registration button. And you can ignore the other features built into the Patient Portal that don't apply strictly to messaging.
NOTE: If you switch to a certified version of ChiroTouch, be aware that this version does not allow you to delete patients.
Encrypted Communication – Provider-to-Provider
Providers can correspond with other providers securely through MaxMD and Direct Messaging. This paid-subscriber service is required for interoperability and compliance with Health Information Exchange measures, and it can be used whenever secured correspondence is needed.
Because of its simplicity and integration with the Windows operating system, ChiroTouch recommends that you use Microsoft BitLocker to encrypt the hard-drive of your server and client machines.
As with any technical operation involving patient data, while the risk is small, there is some inherent risk if something goes wrong while enabling this feature.
Therefore, it is strongly recommended that you have a current backup of your data before performing this operation, and that you contact your IT professional for assistance. It is also very important that you safely store your BitLocker key to prevent unauthorized access, and to ensure that you are always able to un-encrypt your data. Please discuss this and any other considerations with your IT professional as well.
Below are links to documentation on how to enable BitLocker on the most common operating system versions in use by our clients:
- Windows 8.1 – Pro/Ultimate/Enterprise
- Windows 10 – Pro/Enterprise
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016