HIPAA Encryption Requirements
HIPAA Encryption Requirements
The HIPAA encryption requirements have, for some, been a source of confusion. The reason for this is the technical safeguards relating to the encryption of Protected Health Information (PHI) are defined as “addressable” requirements.
Furthermore, the HIPAA encryption requirements for transmission security state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This instruction is considerably vague and open to interpretation – hence the confusion.
Understanding the HIPAA Encryption Requirements
The term “addressable” does not mean the safeguard is something that can be put off until another day. It actually means that the safeguard should be implemented, an alternative to the safeguard that produces the same results should be implemented, or a covered entity has to document (with a justifiable reason) why no course of action has been taken in respect of this safeguard.
The phrase “whenever deemed appropriate” could, for example, be applied to covered entities that exchange communications via an internal server protected by a firewall. In this scenario, there should be no risk to the integrity of PHI from an outside source when confidential patient data is at rest or in transit.
Once a communication containing PHI goes beyond a covered entity´s firewall, encryption becomes an addressable safeguard that must be dealt with. This applies to any form electronic communication – email, SMS, instant message, etc. – except in the case where a patient has given their express, written permission for their PHI to be communicated without encryption.
How to Approach Encryption Issues
One of the reasons why the HIPAA encryption requirements are vague and open to interpretation is that, when the original Security Rule was enacted, it was acknowledged that technology advances. What may be considered appropriate encryption standards one day, may be inappropriate another. Just look at how passwords have evolved during the life of HIPAA.
Consequently the Department of Health and Human Services did not demand that covered entities implement security mechanisms that could be out-of-date with a few years and instead left the HIPAA encryption requirements “technology neutral”. This allows covered entities to select the most appropriate solution for their individual circumstances. The encryption requirements apply to every part of the IT system, from clients like cell phones to the servers like Amazon Cloud or Microsoft Azure.
Using Secure Messaging Solutions to Resolve Encryption Issues
Due to the increased use of personal mobile devices in the workplace, maintaining the integrity of PHI in a healthcare environment is a problem for many covered entities. Around 80% of healthcare professionals use a mobile device to help them manage their workflows. Abandoning unencrypted laptops, Smartphones and tablets would have serious consequences for the flow of communication in a healthcare organization.
A solution to the encryption issue is to implement a secure messaging platform. Secure messaging platforms comply with the HIPAA encryption requirements by encrypting PHI both at rest and in transit – making it unreadable, undecipherable and unusable if a communication containing PHI is intercepted or accessed without authorization.
Find Out More about Encryption
If you would like to know more about the HIPAA encryption requirements in greater detail, you are invited to download and read our “HIPAA Compliance Guide”. Our guide provides information about all the administrative, physical and technical safeguards of the HIPAA Security Rule, plus measures that can be taken to comply with the safeguards.
Also included in the HIPAA Compliance Guide is further information about secure messaging solutions – how they work, their security features and the proven benefits of secure messaging. The content is supported by case studies from a number of covered entities that have implemented secure messaging solutions in order to comply with the HIPAA encryption requirements.