Complying with HIPAA encryption standards; what you need to know
Have you encrypted your electronic protected health information (ePHI) data at rest (being stored in persistent storage) and in transit (flowing from one point to another, whether it be the over the internet or a private network)? If so, you’re compliant with the HIPAA encryption standard and, therefore, covered by the Safe Harbor Rule in case of a breach.
This means you’re not required to report the breach should one occur.
There are a few things you should know about HIPAA to ensure you’re compliant with the encryption standard. This post will tell you what you need to know about successfully complying with HIPAA encryption standards.
Currently under HIPAA, the encryption standard is classified as an addressable implementation, not a required implementation. So, the question you may be asking yourself is, “Does this really mean ePHI data must be encrypted at rest and in transit?”
The answer is yes.
According to Deven McGraw, former Deputy Director of Health Information Privacy at the Department of Human and Health Services, an addressable specification does not mean it is optional.
“Addressable does not mean, ‘well, maybe if I can get around to it,’” said McGraw. “’Addressable’ means we expect you to do this. You must address encryption of data at rest and in transit.”
With that question answered, let’s move on to what is required for successfully complying with HIPAA encryption standards.
Encrypting ePHI at rest and in transit may be a big price to pay for admission; however, it serves two purposes. First, you’ll be compliant with the HIPAA encryption standard. Second, it will provide you with the Safe Harbor Rule in the event of a breach. This is because the Breach Notification Rule only applies to unsecured protected health information. Therefore, by encrypting ePHI it becomes secure protected health information.
The best method to ensure you’re compliant with the HIPAA encryption standard is by following these steps:
- Implement encryption on all devices that contain or have access to ePHI.
- Implement encryption for the transmission of ePHI when using unsecure methods such as email and removable media (USB flash drives, external hard drives, etc.).
- Implement encryption for ePHI data at rest and in transit.
- Stay up-to-date with current federal and state legislation regarding breach notification requirements including encrypted data.
- Maintain proper response and reporting for employees who are sending unencrypted ePHI.
- Know and follow your corporate policies and procedures.
If you take nothing else away from this article take away: when it comes to HIPAA, “addressable” does not mean “optional”. While the encryption standard is classified as an addressable implementation, HIPAA fully expects it to be done.
Sword & Shield’s HIPAA Compliance Program (HCP) provides a cost-effective way for organizations to ensure on-going compliance with the HIPAA Security, Privacy, and Breach Notification Rules.
Request a consultation to get started.
As a healthcare consultant for Sword & Shield, Jeremy Watson plays a critical role on the HIPAA compliance team by conducting site visits, preparing reports and participating in the general operations for our healthcare customers. Drawing on many years of experience in academia, healthcare, and technology, Jeremy now focuses mainly on HIPAA compliance and IT security. Jeremy holds a Healthcare Information Security and Privacy Practitioner (HISPP) certification and is a Certified HITRUST Practitioner.