Is Encryption Required by HIPAA?
This question recently came up as part of a partner’s webinar presentation. HIPAA privacy and security rules can be less than obvious at times with respect to what’s required – or what is meant by the term ‘addressable’ – which is used frequently in the regulation text.
Both encryption of data at rest and data in motion (during transmission) are presented as “addressable” in HIPAA. HHS itself says ‘Addressable’ does not mean optional. It means you must do it – or do something else that is equivalent, and document that something else.
Historically HHS in their audits and penalties have effectively “REQUIRED” (by their actions) encryption of data at rest in mobile/portable/movable devices (like PC’s) containing PHI, and of data transmitted across the internet. Beyond their near universal “requirement” via their numerous penalties and adverse findings, they specifically give the example of encrypting email and other transmission across the internet, in their numerous interpretation /explanation documents and guidelines of the rule. The net effect is that encryption of data transmitted over the internet is functionally required.
Here is the relevant portion of the rule for reference:
164.312 Technical safeguards
(e)(1) Standard: Transmission security.
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable).
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable).
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
If you are interested in more information on protecting your organization against HIPAA violations, audits and fines, DataMotion has numerous resources available – prerecorded webinars, whitepapers and articles. Just search the term HIPAA on this website’s search function to find a trove of information.