Options for Protecting ePHI

The following is provided for informational purposes only. Practitioners are encouraged to explore the options that best meet the needs of their practice or facility.

Password-Protect Microsoft Word Files

• Requires that the recipient knows the password to open it 
• Can save the file as "read only" to prevent content from being altered and saved over 
• Not impossible to hack but provides some degree of protection 
• Would not absolve covered entity from breach notification if files were accessed

Encryption Using a "Public-Private Key" Option

• A public key infrastructure, or PKI, is a code given to others; they use this key to lock messages when they send them to you; public keys can be shared in a non-secure manner 
• Private key is the code you have to unlock those messages 
• A digital certificate can be obtained—this contains the public key and verifies who is sending the communication 
• See Primer on Public-key Encryption for more information 
• If you are having two-way communication entailing sending ePHI (you send a report to the doctor and the doctor sends you information as authorized by the patient), both parties would need their own private keys and know each other's public key
• You must keep your private key secure—if it is lost, you will not be able to decrypt messages and if it is stolen, someone else will be able to access the information

Encryption Using "Symmetric Key" Option

• The same key is used to encrypt and decrypt information
• The key must be shared between the parties communicating in a secure way

Secure Web Sites

• Requires that you purchase a secure site (e.g., https)
• Need a digital certificate (see Digital Certificates 101 for more information)

Virtual Private Networks (VPNs)

• Private network that uses the Internet to connect users
• Allows secure access and communication 
• Must purchase software or systems to create a VPN 
• More information is available on How Stuff Works