What are the HIPAA requirements for encryption?

The Heath Insurance Portability and Accountability Act, commonly called HIPAA, calls on organizations to protect the data they use and produce and, as such, many entities are wondering what the HIPAA requirements relating to the encryption of information are.

HIPAA defines encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”.

Addressable Vs. Required

A source of confusion for many is the presence in HIPAA of both “required” and “addressable” implementation specifications in the HIPAA Security Rule. HIPAA incudes a number Parts and Subparts that deal with different aspects of security and the Security Rule is one of these.

The use of encryption is an “addressable” implementation specification. This means that it should be put in place if a risk assessment finds that it is a reasonable and appropriate security measure that will protect the confidentiality, integrity and availability of electronic Protected Health Information (e-PHI).

Generally, addressable implementations require measures that will sufficiently reduce or mitigate the level of risk identified by a risk assessment. This leads to its own set of problems: if there are other methods that will provide a similar level of protection, any one of these other methods could also be used. The reasoning behind choosing one or the other should be recorded. If encryption or another type of security safeguard is not put in place, then the organization must provide documentation to support its decision not to implement a safeguard in this area.

A company might decide not to encrypt data on its internal servers if it deems that the firewalls and other security measures protecting these servers and preventing access by external parties or unauthorized individuals are sufficient. In this case, they would need to document all the security measures in place to protect the servers to justify not using encryption. Once the information is stored or transferred outside of these internal servers, the question of encryption must again be examined, addressed, and documented.

Safeguarding the Future

By not making encryption a mandatory step or part in the HIPAA security infrastructure, the Department of Health and Human Services (HHS) allow organizations the freedom and choice to use the most appropriate safeguards for their business and activity. This also helps to ensure on-going security in the face of an uncertain future.

Given that technology evolves and capabilities to overcome or by pass some security measures could be developed, by not making encryption a required implementation specification, they future-proof their legislation. In doing so, they both save time by not needing to re-examine security systems in order to replace something that was mandatory in the legislation but has become useless; and they also better protect individuals’ data by requiring organizations to take sufficient steps to protect PHI, not just prescribed steps.

As with many aspects of HIPAA, the question of whether encryption is necessary can best be answered through conducting thorough risk assessments, rigorously examining the results, defining the actions to be taken, and documenting the choices made.