Ask the Lawyer: October 2011 (Patient Data)

Do I have to encrypt patient data (PHI) if I send it over the internet or store on a laptop?

The short answer is no. I am sure you are now saying, “She does not know what she is talking about.” The statute does not require you to encrypt PHI, but if there is a breach and the data is not encrypted, you must notify patients of the breach.

As provided in CFR 164.312(a)(2)(IV), a covered entity should consider implementing encryption as a method for safeguarding PHI. A covered entity could be in compliance with the Security Rule even if the covered entity decides not to encrypt electronic PHI but uses a comparable method of safeguarding the data. If a covered entity encrypts PHI and a breach occurs, the covered entity will not be required to provide breach notification as the encrypted PHI is considered “secure”.

If you are sending information (PHI) over the internet, it would be hard to imagine you are following the security rule. I guess it is similar to cheating on your income taxes. You may get away with it for a while, but when you get caught, you will have to pay.

This article is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. The information contained in this article does not create an attorney-client relationship between Karen McKeithen Schaede Attorney at Law, PLLC and the reader.