16. Does HIPAA data need to be encrypted?
Answer: We’re often asked if HIPAA data needs to be encrypted, and it does, and here’s why. While the original HIPAA Security Rule – published years ago – does not directly speak to the mandate of data being encrypted, it offers it as an “addressable” item, one that can be implemented as desired. Fast forward to today’s world of cyber security and we all know that’s not acceptable, and it’s why we also take the very strong position that HIPAA data needs to be encrypted.
HIPAA Encryption Requirements as Published in the Security Rule Provisions
As for the encryption mandate within the HIPAA Security Rule, please note the following, which is deemed “addressable”:
- 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.
- 164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Ask yourself this very important question: How else – as a Covered Entity (CE) or Business Associate (BA) – are you going to ensure the safety and security of Protected Health Information (PHI) in electronic format? Encryption is really the only answer, thus we would argue there’s nothing “addressable” about encryption – use it, and use it wherever PHI is being stored, and transmitted.
PHI being sent over untrusted public networks needs to be protected via SSL port 443 HTTPS and PHI at rest needs to be protected with file, column, or even full disk encryption – it’s really that simple. Truncating or hashing PHI at rest could also be used as if cost or technical obstacles prevent the use of encryption, but this should only be temporary.
HIPAA Encryption Requirements | It’s for all Third-Party Providers Also
It’s also important to ensure that all critical third-parties that have access to PHI data are also utilizing encryption at rest and in transit. In fact, the ability to effectively monitor all relevant third-parties for ensuring the safety and security of PHI is a big – and growing – task for healthcare providers in North America. In today’s global economy, it seems as if everyone is outsourcing some type of service to another company – and that’s perfectly acceptable – provided that effective monitoring initiatives are in place for ensuring such providers are securing data safely and securely.
Heavy fines and embarrassing front page headlines are just the beginning when it comes to non-HIPAA compliance. Add to the mix the barrage of legal issues, and it’s clear to see how not complying with the Health Insurance Portability and Accountability Act (HIPAA) can literally be a nightmare for Covered Entities (CE) and Business Associates (BA). With everything that’s been discussed regarding HIPAA and encryption, how can encryption not be used or mandated? I think the answer is quite clear by now – don’t you? Use encryption at all times.
Hang up the fax machines, ditch the Instant Messaging portals, and start thinking seriously about what it really takes to ensure the safety and security of Protected Health Information (PHI) in today’s cyber security, digitally driven world we all live in. HIPAA compliance is serious business – no question about – so now’s the time to really start focusing on protecting PHI.
HIPAA Policies and Compliance Toolkits Available for Instant Download
hipaapoliciesandprocedures.com offers high-quality, professionally researched and authored HIPAA policies and procedures, along with comprehensive HIPAA specific information security and operational templates and documents for immediate download today. Additionally, we also offer HIPAA strategy and consulting services to Covered Entities (CE) and Business Associates (BA) throughout North America.