FacebookTwitterLinkedInEmailPrint
This entry is part 48 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

(ii) Encryption (Addressable).  Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

 

Tell Me More:

The Encryption implementation specification requires covered entities to address implementing a mechanism to encrypt electronic protected health information (EPHI)  whenever deemed appropriate.  The process of encryption transforms plaintext into ciphertext and the process of decryption transforms ciphertext into plaintext.

Covered entities and business associates must seriously consider the use of encryption technology for transmitting electronic PHI over the Internet. As business practices and technologies change, there might be situations where electronic PHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis show such risk to be significant, covered entities should seriously consider encrypting such transmissions.  As a rule, any electronic PHI transmitted over an open network (such as the Internet) should be encrypted

Almost in credibly, at the time of this writing, the use of encryption in the transmission process is an addressable implementation specification rather than required. Covered entities and business associates are encouraged, however, to consider use of encryption technology for transmitting electronic protected health information, particularly over the internet.

As business practices and technology change, there may arise situations where electronic protected health information being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, covered entities are expected to encrypt those transmissions, if appropriate, under the addressable implementation specification for encryption. It is understood that encryption may not be a feasible option for all covered entities, for example, in the case of small providers.

The manner in which electronic protected health information is received by a covered entity does not affect the requirement that security protection must subsequently be afforded to that information by the covered entity once that information is in possession of the covered entity.

The Security Rule is committed to the principle of technology neutrality due to the fact that rapidly changing technology makes it impractical and inappropriate to name a specific technology. Therefore, it is deemed much more appropriate for the final rule to state a general standard for transmission security when necessary and depend on covered entities to specify technical details.

Industry best practices include implementing encryption and integrity controls based upon sensitivity and criticality needs, respectively.  Since these controls are often expensive in terms of cost and performance, they should be used judiciously; however, care must be taken such that the “reasonable and appropriate” criteria are satisfied.

complete set of HIPAA Security Policies and Procedures may be purchased here.

 

Questions to consider:

  •  Has your organization evaluated the need to encrypt some or all of its data in transit?
  •  Does the organization use or need to use electronic signatures? The electronic signature is currently the best way to verify that the data has not been altered.
  •  Does the organization need to use encryption? If you are sending ePHI electronically via e-mail or over the Web, you should consider using encryption.
  •  Are portable media devices used to create, receive, maintain or transmit ePHI?
  •  If your organization does use encryption, does it meet HHS/OCR guidance?

 

References:

Series Navigation<< 164.308(a)(8) Administrative safeguards – Standard: Evaluation164.308(a)(3)(ii)(B) Standard: Workforce security – Workforce clearance procedure >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint