What a shame!   All those company names on the Wall of Shame!  It is estimated that two-thirds of the companies on the HHS/OCR Wall of Shame would not be there had they implemented a basic control that has been around for centuries!   Encryption is NOT REQUIRED by either the HIPAA Security Final Rule, nor by The HITECH Act.  However, encryption effectively provides safe harbor in the Breach Notification Interim Final Rule.Learn more about what you and your company should be doing…


Advances in communications and computing technologies allow for easy information storage and transmission. But when information is sensitive, we must be careful and employ safeguards to protect it from unauthorized access, modification, and disclosure.

One such safeguard is encryption. Encryption is a procedure that scrambles information in a way that is decipherable only to authorized individuals or computers. Encryption should be used whenever sensitive data may be mobile, either online or on disk – email, electronic file transfers, laptops, USB drives, CDs, etc.

You probably already know that encryption is used when visiting certain websites that require you to log in. You may notice in your browser the “http” in the address line replaced with “https” (or in a different color), or you might see a small padlock to indicate a secure website. Just as encryption online prevents other people from seeing the sensitive data you type on the web, you should also use encryption to protect sensitive information stored on a laptop, removable disk or other portable storage, in case of loss or theft.

Likewise, if sensitive information MUST be transferred via email, encryption should be used. System administrators should also consider encrypting backup tapes, CDs, DVDs, etc., especially if sending media off-site.

The simple act of encrypting data can help avoid embarrassing situations like appearing on the Wall of Shame and other finanical, legal and operational risks.  If personally identifiable information (PII) or Protected Health Information (PHI) is lost and not encrypted, most state data breach laws and the Breach Notification Interim Final Rule require notification to every person whose personal information may have been compromised.

It also places the your at significant risk of fines, incident response expenses, loss of customers/patients, and damage to your company image and reputation. Nationwide, over 218 million records of U.S. residents have been exposed since 2005.

Encryption can be applied to individual files or an entire drive. Talk with your IT team about the best encryption solution for your equipment.  Examples of sensitive information that should be encrypted include but are not limited to:

  • Protected Health Information
  • Credit card and banking information
  • Social security numbers
  • Compnay financial information not for public disclosure
  • Research data/intellectual property

If you need help with encryption and other security practices to keep sensitive data secure, contact your IT team.

The complete HIPAA Privacy, Security and Breach regulations are here.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Instant Message or Instant Mess?HIPAA Privacy and Security Reminders – The Perils of P2P File Sharing >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.