HIPAA Encryption Requirements

by

Confusingly, though the encryption of Protected Health Information (PHI) is defined as an “addressable” requirement under HIPAA legislation it is compulsory. The use of the term “addressable” merely means that it is up to covered entities (CEs; those who can access and modify PHI) to decide how best to encrypt the data. The encryption is, however, essential.

If encryption, for whatever reason, cannot be implemented, the CE is required to enact another safeguard. Their reason for doing so must be carefully documented, along with the means of protection. Some sort of safeguard is required “wherever deemed appropriate”, again leaving the choice to encrypt up to the CE and their business associates. Some CEs may choose not to encrypt data that is only maintained within their own private network. The risk that an unauthorised, outside source will access this data is low.

However, if the PHI at any stage leaves the company’s own firewall, encryption now becomes an addressable requirement. The only exception is when a patient has given their written consent that their data can be communicated without encryption.

“Addressable Requirements”

When the Security Rule, the part of the HIPAA legislation that dictates encryption requirements, was originally enacted it was acknowledged that future technologies would be more advanced. Thus, leaving the requirement for encryption or an equivalent safeguard somewhat vague was a deliberate attempt to accommodate future technologies.

With the Security Rule then being left as “technology neutral”, organisations can then select the appropriate encryption methods for each situation. This can make quite the difference from an administrative standpoint, as finding one means of safeguarding data that is applicable over a range of platforms can be difficult.

Regular risk assessments are recommended to help decide a CEs plan to protect data. This will identify the main threats to the confidentiality and availability of PHI both within and outwith the organisation.

Encrypting Emails and Secure Messaging

Any email that contains private patient data must be encrypted or otherwise safeguarded from hackers. The OCR does not specify that emails must be encrypted, though it is recommended that CEs and their associates follow the guidelines laid out by the National Institute of Standards and Technology (NIST). NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

It is estimated that around 80% of healthcare workers use personal mobile devices during their everyday work routine. Maintaining the integrity of patient data under these circumstances provides employers with unique obstacles. Yet banning the use of such “Bring Your Own Device” policies would likely incur a huge cost for the business.

Instead, a large number of CEs and their associates instead use secure messaging platforms. These comply with HIPAA regulations by ensuring data is encrypted both whilst it is stored on the device and when it is transferred to another. If it is then intercepted, it is rendered unreadable without adequate authorisation.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]