A client recently asked me whether her organization could encrypt iPads that contained PHI. The answer is yes. Encryption, of course, is an addressable implementation specification under the Access Control Standard of the Technical Safeguards of the Security Rule. With having to report to the Department of Health and Human Services (“DHHS”) and to the individual breaches of unsecured—that is, readable electronic protected health information (“EPHI”), EPHI that is not encrypted or destroyed consistent with the National Institute of Standards and Technology (“NIST”) standards—encryption will often be reasonable and appropriate. See my September 17, 2012, blog post about the $1.5 million settlement that the Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”), entered into for not having done a risk analysis of laptops that they lost or having assessed and documented why an equivalent alternate measure, such as encryption, was or was not reasonable and appropriate.
Turning on an iPad’s passcode feature automatically encrypts all the data stored on the device. As an additional security measure, the device will delete its reference to the passcode if someone enters the wrong one 10 times consecutively. The iPad’s email capability can encrypt such messages through the Advanced Settings Option under the Account Information.
According to writer Solomon Poretsky of Demand Media, the iPad’s built-in email client supports encrypted email transfers over the Secure Sockets Layer (“SSL”) protocol. The option to turn on SSL is in the “Advanced Settings” option under the “Account Information” display. This step will not encrypt the email while it is on your iPad, but it will encrypt emails sent over the internet between your iPad and your email server. Web sessions may also be encrypted. Finally, because perhaps the best way to safeguard your data is not to have it on your iPad, apps exist that allow you to remotely access your work computers over an encrypted internet connection or virtual private network (“VPN”). Thus, your iPad would not have any PHI on it if lost or stolen. For an excellent explanation of these iPad security measures, read the entire article, “Does the iPad Have Encryption?”