Contributed by Lee Kim, Esquire

The American Medical Association has posted HIPAA Security Rule guidance for physicians.  It recommends that electronic protected health information ("ePHI") should be encrypted and suggests that AES technology should be used (as a more secure alternative to RSA technology).  Both data at rest (e.g., files which reside on your hard drive or other storage media) should be encrypted as well as data in transit (e.g., e-mail and other information transacted by way of the Internet or other network).  Encryption is an addressable implementation specification under the HIPAA Security Rule.  However, it is highly recommend that encryption should be implemented across all computing devices including mobile devices (e.g., thumb drives, laptops, etc.).  Backups should also be encrypted. 

In addition, policies and procedures should be put in writing and implemented to comply with the HIPAA Security Rule.  The workforce must be trained to comply with the HIPAA Security Rule.  In addition to technical safeguards, physical and administrative safeguards must be implemented to ensure the confidentiality, integrity, and availability of ePHI.  Compliance with the HIPAA Security Rule also should be documented.

If you are a covered entity or a business associate in need of HIPAA Security compliance, please contact us for assistance if interested.