TPC-Journal-V5-Issue3

The Professional Counselor /Volume 5, Issue 3 415 sanitization is a critical element in assuring confidentiality of information (Kissel et al., 2014). For example, in counseling internship courses, students may be asked to delete recorded sessions during the last day of classes so that the instructor can have evidence of the appropriate disposal of this information. NIST identifies four different types of media sanitization: disposal, clearing, purging and destroying (Kissel et al., 2014). The decision as to which type of media sanitization is appropriate requires a cost/benefit analysis, as well as an understanding of the available means to conduct each type of sanitization. (The authors recommend counseling departments consult with an individual from the university information technology department). Technical Safeguards The language in HIPAA is clear regarding the implementation of technical safeguards, requiring that access to electronic media devices containing PHI be granted only to those who need such access to perform their duties. Unique user identification. If a device allows for unique user identification, one should be assigned to minimize the unintended access of ePHI. HIPAA standards (2013, §164.514) state that an assigned code should not be “derived from or related to information about the individual” (p. 1064). Emergency access. Covered entities are required to have procedures in place that allow ePHI to be accessed in the event of an emergency (HIPAA, 2013, §164.310). The procedures can be addressed within counselor education programs so as to ensure that the student and the supervisor have access to the ePHI at the designated storage location. Encryption. Encryption is a digital means of increasing the security of electronic data. Using an algorithmic process, the data is scrambled so that the probability of interpretation is minimal without the use of a confidential key to decode the information. Though the language of HIPAA categorizes encryption as addressable rather than required, the implementation of encryption policies is a best practice to help ensure the protection of ePHI. The language of HIPAA makes it clear that an “addressable” item must be implemented if it is “reasonable and appropriate” (HIPAA, 2013, §164.306, p. 1028) to do so. Huggins (2013) has recommended that ePHI be stored on drives that allow for “full disk encryption” at a minimum strength of 128 bits. With the availability of many different types of software packages that can encrypt at a recommended strength, implementing encryption standards in a counseling department is affordable and reasonable. Most modern computer operating systems have options to encrypt various drives built into the functionality of the system. Full disk encryption is recommended because of its higher level of security and also because it can provide exemption from the Breach Notification Rule mentioned earlier (Breach Notification, 2009). In case of a breach, the burden is on the covered entity to prove that the ePHI was not accessed; otherwise, Breach Notification Rules must be followed. The assumption is that if a disk is fully encrypted, even if accessed by an unauthorized person, it is highly unlikely that an unauthorized party will obtain access to the ePHI (Breach Notification, 2009). The authors strongly encourage the use of encrypted devices as a standard policy for the collection and storage of ePHI (see Scarfone, Souppaya, & Sexton, 2007). The policy creates greater protection against the accidental disclosure of an individual’s ePHI. Additionally, organizations that use commercial cloud storage service providers should investigate whether these providers are willing to sign a Business Associate Agreement, in which the provider agrees to adhere to regulations of HIPAA (2013, §160.103). If not, the storage of ePHI may not be in alignment with HIPAA standards.