This entry is part 35 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

 (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Tell Me More:

The Encryption and Decryption implementation specification requires covered entities and business associates to address implementing a mechanism to encrypt and decrypt electronic protected health information.  While addressable, HITECH provides safeharbor within the Breach Notification Rule for PHI that is “secured”.  For ePHI, encrypted ePHI is considered secured.

The use of file encryption is an acceptable method of denying access to information in files or directories. Encryption provides confidentiality, which is a form of control.  The use of encryption for the purpose of access control of data at rest, should be based upon an entity’s risk analysis.  Encryption also effectively provides “safe harbor” in the Breach Notification Rule since encrypted ePHI is considered “secured” and breaches of “secured” ePHI do not require notification.

Applications or media which might pose a greater risk (thus indicating encryption may be appropriate) include Web-based applications and portable media such as laptops, USB drives, PDAs, disks and CDs.  This implementation specification addresses the need to encrypt ePHI both at rest and transit. It is discussed further under the Transmission Security Standard.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Has your organization evaluated the need to encrypt some or all of its data at rest? Consider, for example, the need to encrypt PHI on laptop computers and other mobile devices?
  • Are portable media devices used to create, receive, maintain or transmit ePHI?
  • If your organization does use encryption, does it meet HHS/OCR guidance?


Series Navigation<< 164.312(e)(2)(i) Standard: Transmission security – Integrity controls164.308(a)(5)(ii)(B) Standard: Security awareness and training – Protection from malicious software >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.