Encryption and Decryption

Encryption and Decryption is the next and last Access Contol task. This task requires agencies implement a mechanism to encrypt and decrypt EPHI. It is an addressable task.

This task requires that agencies look at and address the need for Encrytpion and Decryption for any electronic transfer of EPHI data. This can entail transmission to billing entities, email, and remote access by employees. Some of these items, like transmission to Medicaid or Medicare is not under your control. You must use the methods and/or software that they dictate. Email can be a big issue if you transfer any EPHI even if it is with your patient. The patient could probably sign a wavier indicating they realize that Internet email is not secure. Or you could create a policy stating that no EPHI should be sent via email. I suspect that this will get tougher as more patients elect to use email for some communications with their doctors.

No remote access to your location should be provided without a VPN (Virtual Private Network). A VPN by its nature encrypts and decrypts data that passes through it.