HIPAA does not explicitly require encryption of protected health information (PHI). However, it strongly recommends the use of encryption as an important safeguard for protecting PHI and maintaining its confidentiality. While HIPAA does not provide specific encryption requirements, it considers encryption as an addressable implementation specification under the Security Rule. This means covered entities and business associates must assess the risks associated with PHI and determine if encryption is a reasonable and appropriate security measure to implement. The decision to use encryption should be based on a risk analysis and consider factors such as the size, complexity, and capabilities of the organization, as well as the potential harm that could result from unauthorized access to PHI. If an organization determines that encryption is a reasonable and appropriate safeguard, it should implement a secure encryption method to protect PHI during storage and transmission. HIPAA does not specify the specific encryption algorithms or technologies to use, allowing organizations to choose encryption methods that meet their specific needs and industry best practices. However, it is important to select encryption solutions that are strong, widely accepted, and adequately protect PHI from unauthorized access. By employing encryption, covered entities and business associates can enhance the security of PHI, mitigate the risks of data breaches, and demonstrate a commitment to safeguarding sensitive health information. Encryption helps ensure that even if unauthorized individuals gain access to PHI, they cannot decipher or use it without the appropriate decryption key, providing an additional layer of protection and aligning with HIPAA’s overarching goal of preserving patient privacy.
HIPAA Encryption Requirements Checklist
Here’s a checklist for HIPAA encryption requirements:
- Conduct a Risk Analysis: Perform a comprehensive risk analysis to identify the potential vulnerabilities and risks associated with the storage and transmission of protected health information (PHI).
- Determine Encryption Needs: Assess whether encryption is a reasonable and appropriate safeguard based on the identified risks and the potential harm that could result from unauthorized access to PHI.
- Select Strong Encryption Methods: Choose encryption solutions that utilize strong and widely accepted encryption algorithms or technologies, ensuring they are capable of adequately protecting PHI.
- Encrypt PHI in Transit: Implement encryption mechanisms to secure PHI during transmission over networks, such as encrypting data sent via email, file transfers, or electronic data interchange (EDI) transactions.
- Encrypt PHI at Rest: Employ encryption methods to secure PHI stored in databases, on servers, in electronic health record systems, or on portable storage devices such as laptops, smartphones, and external hard drives.
- Secure Encryption Keys: Safeguard the encryption keys used to encrypt and decrypt PHI. Implement strong access controls and authentication measures to ensure that only authorized individuals have access to the keys.
- Develop Encryption Policies: Establish clear policies and procedures for encryption, outlining when and how encryption should be applied to PHI. Communicate these policies to employees and ensure their understanding and compliance.
- Implement Encryption Monitoring: Regularly monitor and assess the effectiveness of encryption mechanisms in place to ensure that encryption is consistently applied and functioning as intended.
- Train Employees: Provide training and education to employees on encryption practices, emphasizing the importance of using encryption to protect PHI and explaining how to properly encrypt data in various scenarios.
- Review and Update Encryption Measures: Periodically review and update encryption measures to align with evolving encryption technologies, best practices, and regulatory requirements.
Explaining the HIPAA Encryption Requirements
The term “addressable” does not mean the security measure is something that can be disregarded until later. It actually means that the security measure must be implemented, a different option to the security measure that produces the same results should be implemented, or a covered group has to record (with a justifiable reason) why no course of action has been implemented in place of this security measure.
The term “whenever deemed appropriate” could, for instance, be applied to covered groups that share communications via an internal server protected by a firewall. In this case, there should be no danger to the integrity of PHI from an outside source when confidential patient data is at rest or on the move.
After is a communication that includes PHI is sent beyond a covered entity’s firewall, encryption becomes an addressable safeguard that must be enabled. This applies to any form digital communication – email, text message, instant message, etc. – apart from when a patient has given their express, written permission for their PHI to be communicated without encryption.
How to Consider Encryption Solutions
One of the reasons why the HIPAA encryption requirements are not tightly defined and are left open to interpretation is that, when the original Security Rule was enacted, it was acknowledged that technology evolves. What may be thought of as appropriate encryption standards one day, may be inappropriate the next. Just consider how passwords have evolved during the life of HIPAA.
Due to this the Department of Health and Human Services did not request that covered groups put in place security mechanisms that could be out-of-date with a few years and instead left the HIPAA encryption requirements “technology neutral”. This allows covered groups to choose the most appropriate solution for their business operations. The encryption requirements apply to all parts of the IT system, from clients like cell phones to the servers like Amazon Cloud or Microsoft Azure.
HIPAA Compliant Email Encryption
The HIPAA Security Rule permits covered groups to send ePHI via email over an electronic open network, provided the information is adequately secured. HIPAA-covered groups must choose whether or not to use encryption for email. That decision must be based on the outcome of a risk analysis. The risk analysis will spot the risks to the confidentiality, integrity, and availability of ePHI, and a risk management plan must then be developed to lessen those dangers to an appropriate level.
One of the tactics for managing risk is to use encryption for all messages, although if an appropriate level of security can be offered by another means, the covered group can use that measure instead of encryption. The decision, along with details of the alternative protection must be officially recorded and made available to OCR in the event of an audit taking place.
OCR does not outline specific HIPAA email encryption requirements, but covered groups can find out more about electronic mail security from the National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. NIST recommends implementing the Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
Resolving Encryption Issues Using Secure Messaging Solutions
As a result of the increased use of personal mobile devices in the workplace, sustaining the integrity of PHI in a healthcare environment is an issue for many covered groups. Approximately 80% of healthcare workers use a mobile device to help them manage their workflows. Abandoning unencrypted laptops, Smartphone devices and tablets would have major consequences for the flow of communication in a healthcare group.
An answer for the encryption issue is to adapt a secure messaging platform. Secure messaging platforms adhere with the HIPAA encryption requirements by encrypting PHI both at rest and in transit – making it unreadable, undecipherable and unusable if a communication that holds PHI is intercepted or accessed without official permission. These secure messaging solutions not only comply with HIPAA email encryption requirements, they also comply with the requirements for access control, audit controls, integrity controls, and ID authentication.
Summary of HIPAA Encryption Requirements
Covered entities and business associates must conduct a thorough risk analysis to assess the vulnerabilities associated with protected health information (PHI) and determine if encryption is a reasonable and appropriate safeguard. If encryption is deemed necessary, organizations should implement robust encryption methods for both PHI in transit and at rest. This includes encrypting data during transmission over networks and securing stored PHI in databases, electronic health record systems, and portable devices. The encryption solutions chosen should utilize strong and widely accepted encryption algorithms or technologies. Additionally, organizations must implement stringent access controls and authentication measures to safeguard encryption keys. Regular monitoring, employee training, and policy development are crucial to ensuring compliance with HIPAA encryption requirements. By adhering to these requirements, organizations can bolster the security of PHI, mitigate the risks of data breaches, and demonstrate their commitment to protecting patient privacy.