Dedicated to providing the latest
HIPAA compliance news

HIPAA Encryption Requirements

HIPAA Encryption Requirements

The HIPAA encryption requirements have, for some, been a source of confusion. The reason for this is the technical safeguards relating to the encryption of Protected Health Information (PHI) are defined as “addressable” requirements.

Furthermore, the HIPAA encryption requirements for transmission security state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This instruction is considerably vague and open to interpretation – hence the confusion.

Understanding the HIPAA Encryption Requirements

The term “addressable” does not mean the safeguard is something that can be put off until another day. It actually means that the safeguard should be implemented, an alternative to the safeguard that produces the same results should be implemented, or a covered entity has to document (with a justifiable reason) why no course of action has been taken in respect of this safeguard.

The phrase “whenever deemed appropriate” could, for example, be applied to covered entities that exchange communications via an internal server protected by a firewall. In this scenario, there should be no risk to the integrity of PHI from an outside source when confidential patient data is at rest or in transit.

Once a communication containing PHI goes beyond a covered entity´s firewall, encryption becomes an addressable safeguard that must be dealt with. This applies to any form electronic communication – email, SMS, instant message, etc. – except in the case where a patient has given their express, written permission for their PHI to be communicated without encryption.

How to Approach Encryption Issues

One of the reasons why the HIPAA encryption requirements are vague and open to interpretation is that, when the original Security Rule was enacted, it was acknowledged that technology advances. What may be considered appropriate encryption standards one day, may be inappropriate another. Just look at how passwords have evolved during the life of HIPAA.

Consequently the Department of Health and Human Services did not demand that covered entities implement security mechanisms that could be out-of-date with a few years and instead left the HIPAA encryption requirements “technology neutral”. This allows covered entities to select the most appropriate solution for their individual circumstances.  The encryption requirements apply to every part of the IT system, from clients like cell phones to the servers like Amazon Cloud or Microsoft Azure.

HIPAA Email Encryption

The HIPAA Security Rule allows covered entities to transmit ePHI via email over an electronic open network, provided the information is adequately protected. HIPAA-covered entities must decide whether or not to use encryption for email. That decision must be based on the results of a risk analysis. The risk analysis will identify the risks to the confidentiality, integrity, and availability of ePHI, and a risk management plan must then be developed to reduce those risks to an appropriate level.

One of the ways that risk can be managed is by using encryption for all messages, although if an equivalent level of protection can be offered by another means, the covered entity can use that measure in place of encryption. The decision, along with details of the alternative protection must be documented and made available to OCR in the event of an audit.

OCR does not specify HIPAA email encryption requirements, but covered entities can find out more about electronic mail security from the National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

Using Secure Messaging Solutions to Resolve Encryption Issues

Due to the increased use of personal mobile devices in the workplace, maintaining the integrity of PHI in a healthcare environment is a problem for many covered entities. Around 80% of healthcare professionals use a mobile device to help them manage their workflows. Abandoning unencrypted laptops, Smartphones and tablets would have serious consequences for the flow of communication in a healthcare organization.

A solution to the encryption issue is to implement a secure messaging platform. Secure messaging platforms comply with the HIPAA encryption requirements by encrypting PHI both at rest and in transit – making it unreadable, undecipherable and unusable if a communication containing PHI is intercepted or accessed without authorization. These secure messaging solutions not only meet HIPAA email encryption requirements, they also meet the requirements for access control, audit controls, integrity controls, and ID authentication.

Find Out More about Encryption

If you would like to know more about the HIPAA encryption requirements in greater detail, you are invited to download and read our “HIPAA Compliance Guide”. Our guide provides information about all the administrative, physical and technical safeguards of the HIPAA Security Rule, plus measures that can be taken to comply with the safeguards.

Also included in the HIPAA Compliance Guide is further information about secure messaging solutions – how they work, their security features and the proven benefits of secure messaging. The content is supported by case studies from a number of covered entities that have implemented secure messaging solutions in order to comply with the HIPAA encryption requirements.