HIPAA Encryption Requirements
The HIPAA encryption requirements have increased in relevance since an amendment to the HITECH Act in 2021 gave HHS’ Office for Civil Rights the discretion to refrain from enforcing penalties for HIPAA violations when covered entities and business associates can demonstrate at least twelve months HIPAA compliance with a recognized security framework.
The HIPAA encryption requirements only occupy a small section of the Technical Safeguards in the Security Rule (45 CFR §164.312), yet they are some of the most significant requirements in terms of maintaining the confidentiality of electronic Protected Health Information (ePHI) and for determining whether a data breach is a notifiable incident under the Breach Notification Rule.
In addition to being significant requirements, when encryption solutions are implemented that comply with NIST SP 800-111 for data at rest and NIST SP 800-52 for data in transit, the encryption solutions contribute toward compliance with a recognized security framework as required by the 2021 amendment to the HITECH Act (HR 7898). For this reason, it can be worth spending time understanding the HIPAA encryption requirements.
What are the HIPAA Encryption Requirements?
The HIPAA encryption requirements are included in the Security Rule standards relating to access controls and transmission security. The inclusion of an encryption requirement in the first of these standards can be a little confusing taken out of context because the standard refers to allowing access “only to those persons or software programs that have been granted access rights”.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Once you put the standard into the context of the Security Rule as a whole, the purpose of the requirement is to ensure ePHI is unreadable, undecipherable, and unusable to any person or software program that has not been granted access rights. When implementing this standard, it is also important to consider other standards relating to (for example) person or entity authentication, emergency mode operation plan, and password management.
The second standard requires covered entities and business associates to implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. Although it is possible to prevent unauthorized access by using a VPN, a more logical solution is to implement encryption software so that, if electronic communications containing ePHI are accessed by unauthorized persons, they cannot be read, deciphered, or used.
HIPAA Data at Rest Encryption Requirements
The HIPAA data at rest encryption requirements (in the “access controls” standard) refer to any ePHI maintained on a server, in a desktop file, on a USB, or in a mobile device. However, it is a good idea to apply the HIPAA data at rest encryption requirements to as much data as possible to prevent hackers getting into a network at its weakest point and navigating laterally through the network.
Unencrypted devices (unencrypted because they do not create, maintain, or transmit ePHI) are easy targets for hackers – who can use malware, phishing, or brute force attacks to access the devices. Thereafter, when the device connects to a network, hackers can infiltrate the network through any other unprotected gateway to search for other weak points until they find their target(s).
Applying the HIPAA data at rest encryption requirements to as much data as possible (including login credentials and authentication codes) can create sufficient obstacles for hackers to give up and move onto an easier target. While this may slow down some processes (because encrypted access takes longer to perform), any loss in productivity is compensated for with a higher level of security.
HIPAA Compliant Email Encryption Software
With regards to encrypting data in transit (in the “transmission security” standard), HIPAA compliant email encryption software is the most effective way to protect ePHI contained within emails as it not only encrypts the text content of emails, but also any file or image attachments. However, it is important to note that, if using an email service alongside HIPAA compliant email encryption software, it will be necessary to enter into a Business Associate Agreement with the service provider.
It is also important to note that encryption is one of two implementation specifications required by the transmission security standard – the other being integrity controls. Any HIPAA compliant email encryption software implemented to comply with this standard must also have features that prevent the unauthorized alternation or deletion of emails. It is for this reason that Instant Messaging apps such as WhatsApp are not HIPAA compliant even though messages are encrypted.
One solution to ensuring the integrity and availability of ePHI communicated by email is to implement a HIPAA compliant email archiving solution that takes a copy of each email as it passes through the mail server and stores it in read-only format on a secure server. This not only guarantees there is an immutable copy of each email, but can also help covered entities more easily comply with retention requirements for HIPAA documentation and patients’ medical records.
The Benefits of HIPAA Compliant Encryption
The benefits of HIPAA compliant encryption are that covered entities and business associates are less likely to experience a notifiable breach of unsecure ePHI; and, if they do, they will be able to demonstrate compliance with a recognized security framework. Both of these benefits have significant financial and administrative consequences for covered entities and business associates.
In respect of having fewer notifiable breaches of unsecure ePHI, this not only reduces the administrative overhead of notifying every affected individual, organizing (and paying for) credit monitoring, and complying with a breach investigation, but the absence of breach notifications also improves the organization’s compliance history with HHS’ Office for Civil Rights – a factor taken into account should a HIPAA violation occur which could not have been prevented with encryption.
The consequence of being able to demonstrate compliance with a recognized security framework is that – since the 2021 amendment to the HITECH Act – HHS’ Office for Civil Rights has the authority to refrain from enforcing penalties for HIPAA violations and to adopt a flexible approach to the length and extent of compliance investigations, audits, and Corrective Action Plans. This is a further reason why it can be worth spending time understanding the HIPAA encryption requirements.
HIPAA Encryption Requirements: FAQs
What is data encryption under HIPAA?
Data encryption under HIPAA is when electronic Protected Health Information (ePHI) is scrambled using an algorithm. The data can only be unscrambled by an authorized individual with access to an encryption key. In most cases, the encryption key is a password or other authentication method assigned by a covered entity or business associate to authorized individuals.
Why should ePHI be encrypted at rest and in transit?
ePHI should be encrypted at rest and in transit to prevent data being readable, decipherable, or usable by unauthorized parties regardless of whether the data is hacked from a server or intercepted in a communication sent over an open network. If data acquired without authorization is unreadable, undecipherable, and unusable, the loss of data is not a notifiable breach of unsecured ePHI.
Who must comply with the HIPAA Security Rule?
All covered entities and business associates must comply with the HIPAA Security Rule. It is also advisable for organizations that collect, maintain, or transmit individually identifiable health information (for example, vendors of personal health records and fitness wearables) to adopt Security Rule standards in order to protect the confidentiality, integrity, and availability of data.
Does HIPAA require encryption?
HIPAA does not require encryption. The HIPAA encryption “rules” are addressable implementation specifications, which means covered entities and business associates do not have to comply with them if they are not “reasonable and appropriate […] when analyzed with reference to the likely contribution to protecting ePHI” and an equivalent alternative measure is implemented instead.
What is the benefit of HIPAA encryption in transit?
The benefit of HIPAA encryption in transit is that communications containing ePHI travel through multiple routers on the journey from sender to recipient. Each router maintains a temporary copy of the communications and hackers can intercept communications at any stage of the journey. Encrypting ePHI in transit ensures that, if a hacker accesses a router or intercepts a communication, the ePHI contained in the communication is unreadable, indecipherable, and unusable.
What are the HIPAA encryption standards?
The HIPAA encryption standards are the minimum standards recommended by NIST to protect ePHI at rest and in transit. At present, the absolute minimum standard is AES 128-bit encryption. However, this standard was developed almost fifty years ago, and it is recommended organizations implement more secure solutions supporting AES 192-bit and 256-bit encryption.
What are the HIPAA Security Rule encryption requirements?
The HIPAA Security Rule encryption requirements are to “implement a mechanism to encrypt and decrypt ePHI” to allow access only to those persons or software programs that have been granted access rights (45 CFR §164.312(a)(1)), and to “implement a mechanism to encrypt ePHI whenever deemed appropriate” to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network (45 CFR §164.312(e)(2)).
Is Office 365 email encryption HIPAA compliant?
Office 365 email encryption is HIPAA compliant provided a Business Associate Agreement is signed with Microsoft. This is because, although Microsoft cannot access the data (because the covered entity or business associate maintains the decryption key), the Department for Health and Human Services considers cloud service providers to have persistent access to data.
What HIPAA encryption software is recommended by HHS?
No HIPAA encryption software is recommended by HHS (the Department of Health and Human Services) because, when the Security Rule standards were originally published, the agency acknowledged technology would advance during the lifetime of HIPAA (the need for increasing password complexity is a good example of this).
What email services support HIPAA level encryption?
Most email services support HIPAA level encryption. However, encryption is not the only consideration for HIPAA email compliance. To comply with HIPAA, email services must also support audit, integrity, and authentication controls as well as be willing to enter into a Business Associate Agreement. You can read more about HIPAA compliant email providers in this article.
