14. Does HIPAA require database protection?
Answer: We’re often asked if HIPAA requires database protection, and it’s a good question, but one that needs to be examined carefully. While HIPAA may not directly speak to or require database protection, reading “between the lines” gives you a clear mandate that database protection “should” and must be in place, and here’s why: The overall mandate of the HIPAA Security Rule is the safety and security of Protected Health Information (PHI) – after all – it’s the main reason the Security Rule was put into place. Therefore, with Covered Entities (CE) and Business Associates (BA) storing massive amounts of PHI – and other sensitive consumer & patient data – most of it residing in a relational database – don’t you think the database itself requires protection? Of course it does, which means encrypting, truncating, or one-way hashing PHI is a must for HIPAA compliance.
HIPAA Encryption Requirements as stated in the Security Rule Provisions
As for the subject of encryption – which is essential for database protection – HIPAA states the following as being “addressable”:
- 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.
- 164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
We at Flat Iron Technologies, LLC make no distinction between “addressable” and “required” and you shouldn’t either. Look upon every mandate within HIPAA as “required” and dismiss the notion of “addressable”. This is a valid assumption for a number of core reasons:
- HIPAA, even the Security Rule, was authored at a time when encryption and other industry leading security tools and protocols were extremely expensive and not available to all organizations. Furthermore, such tools were incredibly expensive, time-consuming to implement, and we were still living in a paper-based environment (and still are!) regarding the healthcare industry.
- It’s a litigious world we live in. Imagine having a breach of Protected Health Information (PHI) and your defense is that the mandate was only “addressable” so we decided not to implement the security control. Probably not the best answer to provide a jury or whomever else is posing such a daunting question. Again, do not make any distinctions between “addressable” and “required”.
The Importance of Database Protection for HIPAA Compliance | Learn More
So does HIPAA require database protection – absolutely – especially if Protected Health Information (PHI) is being stored. While encryption is without question the best form of database protection for PHI at “rest”, don’t forget that databases access – and many other information security 101 best practices – are also necessary for ensuring comprehensive database protection. Specifically, access to databases should be limited to authorized personnel only (i.e., Database Administrators), audit and logging should be configured accordingly for ensuring all database actions are captured and monitored, and database performance metrics should also be in place.
There’s quite a bit that goes into database protection for HIPAA compliance – and as one can see – it’s much more than just encryption. Thus, the question “Does HIPAA require database protection” needs to be assessed from many different aspects, first and foremost, from the perspective of PHI at rest, then with all the other best practices for database protection just discussed such as access control, database monitoring, etc.
Download HIPAA Policies and Toolkits Today
hipaapoliciesandprocedures.com offers industry leading HIPAA policies and toolkits for instant download today. Covered Entities (CE) and Business Associates (BA) can now turn to Flat Iron Technologies, LLC for all their HIPAA compliance needs.