HIPAA Encryption Requirements
HIPAA Encryption Requirements
The HIPAA encryption requirements have, for some, been a source of confusion. The reason for this is the technical safeguards relating to the encryption of Protected Health Information (PHI) are defined as “addressable” requirements.
Furthermore, the HIPAA encryption requirements for transmission security state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This instruction is considerably vague and open to interpretation – hence the confusion.
Understanding the HIPAA Encryption Requirements
The term “addressable” does not mean the safeguard is something that can be put off until another day. It actually means that the safeguard should be implemented, an alternative to the safeguard that produces the same results should be implemented, or a covered entity has to document (with a justifiable reason) why no course of action has been taken in respect of this safeguard.
Worried about HIPAA Compliance?
HIPAA Risk Assessment
Compulsory under Section 164 308(A)(1)(II)(A)
For small and medium-sized medical practices.
Answer survey, receive free 23-page report.
Sponsored by HIPAA Journal
The phrase “whenever deemed appropriate” could, for example, be applied to covered entities that exchange communications via an internal server protected by a firewall. In this scenario, there should be no risk to the integrity of PHI from an outside source when confidential patient data is at rest or in transit.
Once a communication containing PHI goes beyond a covered entity´s firewall, encryption becomes an addressable safeguard that must be dealt with. This applies to any form electronic communication – email, SMS, instant message, etc. – except in the case where a patient has given their express, written permission for their PHI to be communicated without encryption.
How to Approach Encryption Issues
One of the reasons why the HIPAA encryption requirements are vague and open to interpretation is that, when the original Security Rule was enacted, it was acknowledged that technology advances. What may be considered appropriate encryption standards one day, may be inappropriate another. Just look at how passwords have evolved during the life of HIPAA.
Consequently the Department of Health and Human Services did not demand that covered entities implement security mechanisms that could be out-of-date with a few years and instead left the HIPAA encryption requirements “technology neutral”. This allows covered entities to select the most appropriate solution for their individual circumstances.
Using Secure Messaging Solutions to Resolve Encryption Issues
Due to the increased use of personal mobile devices in the workplace, maintaining the integrity of PHI in a healthcare environment is a problem for many covered entities. Around 80% of healthcare professionals use a mobile device to help them manage their workflows. Abandoning unencrypted laptops, Smartphones and tablets would have serious consequences for the flow of communication in a healthcare organization.
A solution to the encryption issue is to implement a secure messaging platform. Secure messaging platforms comply with the HIPAA encryption requirements by encrypting PHI both at rest and in transit – making it unreadable, undecipherable and unusable if a communication containing PHI is intercepted or accessed without authorization.
The Benefits of Secure Messaging Platforms
With a secure messaging solution, healthcare professionals can retain the speed and convenience of mobile devices simply by downloading a secure messaging app. Once logged into the app, they can send and receive messages containing PHI – or those with attachments containing PHI – as they normally would without risking a breach of the HIPAA encryption requirements.
Secure messaging platforms also comply with the other technical safeguards of the HIPAA Security Rule relating to the unauthorized disclosure of PHI and transmission security. Indeed, due to mechanisms intended to comply with the requirements for message accountability, many covered entities have found that secure messaging platforms actually accelerate the flow of communication.
Find Out More about Encryption and Secure Messaging
If you would like to know more about the HIPAA encryption requirements in greater detail, you are invited to download and read our “HIPAA Compliance Guide”. Our guide provides information about all the administrative, physical and technical safeguards of the HIPAA Security Rule, plus measures that can be taken to comply with the safeguards.
Also included in the HIPAA Compliance Guide is further information about secure messaging solutions – how they work, their security features and the proven benefits of secure messaging. The content is supported by case studies from a number of covered entities that have implemented secure messaging solutions in order to comply with the HIPAA encryption requirements.