Encryption Requirements for HIPAA

The encryptions requirements for HIPAA have been a source of much discussion due to the the technical safeguards relating to the encryption of Protected Health Information (PHI) being classified as “addressable” requirements.

In addition to this, the HIPAA encryption requirements for transmission security state that covered groups should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This direction is considerably vague and is left open to interpretation – hence the cause to ponder what it relates to.

Explaining the HIPAA Encryption Requirements

The term “addressable” does not mean the security measure is something that can be disregarded until later. It actually means that the security measure must be implemented, a different option to the security measure that produces the same results should be implemented, or a covered group has to record (with a justifiable reason) why no course of action has been implemented in place of this security measure.

The term “whenever deemed appropriate” could, for instance, be applied to covered groups that share communications via an internal server protected by a firewall. In this case, there should be no danger to the integrity of PHI from an outside source when confidential patient data is at rest or on the move.

After is a communication that includes PHI is sent beyond a covered entity’s firewall, encryption becomes an addressable safeguard that must be enabled. This applies to any form digital communication – email, text message, instant message, etc. – apart from when a patient has given their express, written permission for their PHI to be communicated without encryption.

How to Consider Encryption Solutions

One of the reasons why the HIPAA encryption requirements are not tightly defined and are left open to interpretation is that, when the original Security Rule was enacted, it was acknowledged that technology evolves. What may be thought of as appropriate encryption standards one day, may be inappropriate the next. Just consider how passwords have evolved during the life of HIPAA.

Due to this the Department of Health and Human Services did not request that covered groups put in place security mechanisms that could be out-of-date with a few years and instead left the HIPAA encryption requirements “technology neutral”. This allows covered groups to choose the most appropriate solution for their business operations.  The encryption requirements apply to all parts of the IT system, from clients like cell phones to the servers like Amazon Cloud or Microsoft Azure.

HIPAA Compliant Email Encryption

The HIPAA Security Rule permits covered groups to send ePHI via email over an electronic open network, provided the information is adequately secured. HIPAA-covered groups must choose whether or not to use encryption for email. That decision must be based on the outcome of a risk analysis. The risk analysis will spot the risks to the confidentiality, integrity, and availability of ePHI, and a risk management plan must then be developed to lessen those dangers to an appropriate level.

One of the tactics for managing risk is to use encryption for all messages, although if an appropriate level of security can be offered by another means, the covered group can use that measure instead of encryption. The decision, along with details of the alternative protection must be officially recorded and made available to OCR in the event of an audit taking place.

OCR does not outline specific HIPAA email encryption requirements, but covered groups can find out more about electronic mail security from the National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. NIST recommends implementing the Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

Resolving Encryption Issues Using Secure Messaging Solutions

As a result of the increased use of personal mobile devices in the workplace, sustaining the integrity of PHI in a healthcare environment is an issue for many covered groups. Approximately 80% of healthcare workers use a mobile device to help them manage their workflows. Abandoning unencrypted laptops, Smartphone devices and tablets would have major consequences for the flow of communication in a healthcare group.

An answer for the encryption issue is to adapt a secure messaging platform. Secure messaging platforms adhere with the HIPAA encryption requirements by encrypting PHI both at rest and in transit – making it unreadable, undecipherable and unusable if a communication that holds PHI is intercepted or accessed without official permission. These secure messaging solutions not only comply with HIPAA email encryption requirements, they also comply with the requirements for access control, audit controls, integrity controls, and ID authentication.