The requirements HIPAA has for encryption are, at best, vague. Defined as “addressable” requirements, encryption of Protected Health Information (PHI) must be carried out by “covered entities” (CEs) whenever it is appropriate. “Addressable” is not equivalent to “optional”; instead, it means that if the required encryption cannot be provided, another safeguard should be implemented.
Any CE that transfers information, either within or outside the company’s own firewall, must encrypt its PHI. This ensures that there is minimal risk to the integrity of PHI. However, once the data is not held within the company firewall, encryption may be harder to employ. Nevertheless, it is necessary unless a patient has given their permission for their data to be transmitted without encryption.
Issues of Encryption
When the first Security Rule (part of HIPAA legislation) was enacted, technology was less sophisticated than it is today. However, those who wrote the rule had the foresight to include deliberately vague wording, allowing for future technological advances. The requirements are thus seen as “technology – neutral”.
By ensuring that the Security Rule was still relevant irrespective of technological advancements, the Department of Health and Human Services also gave CEs the agency to decide the best course of action. To avoid a HIPAA violation, every aspect of the company’s IT system must have some form of encryption.
It is up to HIPAA CE’s whether or not they will encrypt email. Though the HIPAA Security Rule stipulates that the information must be adequately protected, it does permit PHI to be transmitted by email. The decision to encrypt is usually decided by an organisation-wide risk assessment.
Any encryption plan, or alternative safeguard, must be made available to the OCR should an audit occur. For more information on encryption, CEs and their business associates may find out more from the National Institute of Standards and Technology (NIST). NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
Secure Messaging Solution
Maintaining workplace security has been complicated in recent years by the ubiquity of portable personal devices. It is estimated that around 80% of healthcare workers use mobile devices for work. Prohibiting employees from using such devices would have serious costs for companies.
However, CEs and their associates may use a secure messaging platform to ensure HIPAA encryption. These ensure that the PHI is protected in transit, as well as when it is stored on a device. Should the information be accessed by an unauthorised device, it will be rendered unreadable.