(2) Implementation specifications:
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
Tell Me More:
The Encryption and Decryption implementation specification requires covered entities and business associates to address implementing a mechanism to encrypt and decrypt electronic protected health information. While addressable, HITECH provides safeharbor within the Breach Notification Rule for PHI that is “secured”. For ePHI, encrypted ePHI is considered secured.
The use of file encryption is an acceptable method of denying access to information in files or directories. Encryption provides confidentiality, which is a form of control. The use of encryption for the purpose of access control of data at rest, should be based upon an entity’s risk analysis. Encryption also effectively provides “safe harbor” in the Breach Notification Rule since encrypted ePHI is considered “secured” and breaches of “secured” ePHI do not require notification.
Applications or media which might pose a greater risk (thus indicating encryption may be appropriate) include Web-based applications and portable media such as laptops, USB drives, PDAs, disks and CDs. This implementation specification addresses the need to encrypt ePHI both at rest and transit. It is discussed further under the Transmission Security Standard.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Has your organization evaluated the need to encrypt some or all of its data at rest? Consider, for example, the need to encrypt PHI on laptop computers and other mobile devices?
- Are portable media devices used to create, receive, maintain or transmit ePHI?
- If your organization does use encryption, does it meet HHS/OCR guidance?
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-56 Recommendation on Key Establishment Schemes
- NIST SP 800-57 Recommendation on Key Management
- NIST SP 800-63 Recommendation for Electronic Authentication
- FIPS 140-2 Security Requirements for Cryptographic Modules
- NIST SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
- NIST SP800-77 Guide to IPsec VPNs
- NIST SP800-88 Guidelines for Media Sanitization
- NIST SP800-111 Guide to Storage Encryption Technologies for End User Devices
- NIST SP800-113 Guide to SSL VPNs