Data Encryption Requirements
Health Information Custodian Responsibilities
It is the responsibility of the Health Information Custodian or Agent of Health Information Custodians to protect the collection, use and disclosure of Personal Information (PI) and Protected Health Information (PHI). This protection extends to ensuring Patient’s PI and PHI is secured in transit and at rest according to industry best practices.
An “agent” of a health information custodian includes anyone who is authorized by the health information custodian to do anything on behalf of the custodian with respect to personal health information. These actions are for the purposes of the health information custodian and not the agent.
The Health Information Custodian or Agent can be any number of individuals or organizations who have custody or control of personal health information such as: doctors, nurses, hospitals or other health care providers.
- Doctors, nurses, hospitals or other health care providers
- Employees of the health information custodian
- Persons contracted to provide services to the health information custodian where the person has access to personal health information (e.g. copying or shredding service, records management service)
- Volunteers or students who have any access to personal health information
When your ABEL data is at rest, including production systems, backed up data in storage and when being migrated from the source EMR, it must be protected using a means of encryption.
Encryption for Data Export / Migration / Transfer
PI and PHI data must be protected using encryption when being migrated from the source EMR.Steps for encrypting your data prior to migration or transfer:
- Prior to performing your data migration, select an appropriate encryption product and install it upon the computer containing the source of your data.
- Use the encryption tool to create an encrypted file containing the source PI and PHI.
- Generate a decryption key for the file during the encryption process. Protect this key.
- Transfer or migrate the encrypted data to your destination.
- Use the decryption key to decrypt the data for authorized access.
The following are recommended encryption products which provide 256-bit AES encryption. The end user has the ability to export and encrypt the data themselves and will be in possession of the decryption codes.
Data at rest
Ensure that data at rest is protected using encryption such as Microsoft BitLocker. BitLocker is a full disk encryption feature included with Microsoft Windows. It is designed to protect data by providing encryption for entire hard disk volumes. It provides 256-bit AES encryption.
To access Microsoft Support article for enabling BitLocker Click Here.