(2) Implementation specifications:

 (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Tell Me More:

The Encryption and Decryption implementation specification requires covered entities and business associates to address implementing a mechanism to encrypt and decrypt electronic protected health information.  While addressable, HITECH provides safeharbor within the Breach Notification Rule for PHI that is “secured”.  For ePHI, encrypted ePHI is considered secured.

The use of file encryption is an acceptable method of denying access to information in files or directories. Encryption provides confidentiality, which is a form of control.  The use of encryption for the purpose of access control of data at rest, should be based upon an entity’s risk analysis.  Encryption also effectively provides “safe harbor” in the Breach Notification Rule since encrypted ePHI is considered “secured” and breaches of “secured” ePHI do not require notification.

Applications or media which might pose a greater risk (thus indicating encryption may be appropriate) include Web-based applications and portable media such as laptops, USB drives, PDAs, disks and CDs.  This implementation specification addresses the need to encrypt ePHI both at rest and transit. It is discussed further under the Transmission Security Standard.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Has your organization evaluated the need to encrypt some or all of its data at rest? Consider, for example, the need to encrypt PHI on laptop computers and other mobile devices?
  • Are portable media devices used to create, receive, maintain or transmit ePHI?
  • If your organization does use encryption, does it meet HHS/OCR guidance?


Series Navigation<< 164.312(e)(2)(i) Standard: Transmission security – Integrity controls164.308(a)(5)(ii)(B) Standard: Security awareness and training – Protection from malicious software >>