If the electronic PHI is stored and transmitted in encrypted form, then how you would handle the security breach drastically changes. Any data can be encrypted. Encryption is a process that converts plain text into cipher text which is unreadable to any unintended entity that has accessed the file without “permission.” It works by using a mathematical algorithm called keys that code and decode the cipher text. This process is performed by computer programs or specific hardware designed for this purpose.
HHS states that any HIPAA compliant entity is not exempt from the breach notification requirements if the entity keeps the keys on the same device as the encrypted data. Ask your vendor before selecting your encryption product. Keys can be stored on a USB flash drive, a key server or be regenerated as needed. For more information visit HIPAA Security Rule FAQ Regarding Encryption. On your computer, programs such as Microsoft® Encrypting File System (EFS) are built-in encryption programs that are easy to use by just changing the properties of the folder. Click here for a full list of programs.
The same protection extends to your mobile devices which should also be password protected. Change your passwords regularly: at least every 90 days. Any EPHI that is utilized or stored on a mobile device must also be encrypted including; accessing a web portal on the mobile devices web browser, SMS/text message, email or images.