HIPAA encryption requirements have proved a source of much confusion. This is due to the technical safeguards regarding the encryption of Protected Health Information (PHI) being defined as “addressable” requirements.
In addition, the HIPAA encryption requirements for transmission security dictate that covered bodies should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This instruction is quite vague and open to interpretation – hence the confusion caused.
Explaining the HIPAA Encryption Requirements
The term “addressable” does not imply that the safeguard is something that can be delayed until another day. Rather it means that the safeguard should be applied, an alternative to the safeguard that produces the same results should be put in place, or a covered entity has to record (with a justifiable reason) why no course of action has been taken in relation to this safeguard.
The phrase “whenever deemed appropriate” could, for example, be used in relation to covered entities that send communications via an internal server protected by a firewall. In this case, there should be no danger to the integrity of PHI from an external source when confidential patient data is stationary or in transit.
Once a communication holding PHI goes beyond a covered body’s firewall, encryption becomes an addressable safeguard that must be addressed. This applies to any mean of electronic communication – email, SMS, instant message, etc. – except in an instance where a patient has given their express, written permission for their PHI to be transmitted without encryption.
Approaching Encryption Issues
One of the explanations as to why the HIPAA encryption requirements are vague and open to interpretation is that, when the original Security Rule was passed, it was acknowledged that technology evolves. What may be thought of as appropriate encryption standards one day, may be inappropriate the next.
Due to this the Department of Health and Human Services did not require that covered entities implement security mechanisms that could be outdated soon and instead left the HIPAA encryption requirements “technology neutral”. This allows covered entities to choose the most appropriate solution for their specific circumstances. The encryption requirements apply to every element of the IT system, from clients like cell phone devices to the servers like Amazon Cloud.
The HIPAA Security Rule permits covered entities to send ePHI via email over an electronic open network, provided the information is adequately secured. HIPAA-covered entities must choose whether or not to use encryption for email. That decision must be established based on the results of a risk analysis. The risk analysis will point out the risks to the confidentiality, integrity, and availability of ePHI, and a risk management plan must then be formulated to lessen those risks to an appropriate level.
One of the ways that risk can be controlled is by using encryption for all messages, although if an equal level of protection can be offered by another method, the covered entity can use that measure instead of encryption. The decision, along with details of the alternative protection must be recorded and made available to OCR in the event of an audit occurring.
OCR does not outline HIPAA email encryption requirements, but covered bodies can find out more about electronic mail safeguards from the National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
Resolving Encryption Issues Using Secure Messaging Solutions
Due to the heightened use of personal mobile devices in the workplace, maintaining the integrity of PHI in a healthcare setting is an issue for many covered entities.
Around 80% of healthcare workers use a mobile device to help them control their workflows. Losing unencrypted laptops, Smartphones and tablets would have serious ramifications for the flow of communication in a healthcare organization.
A solution to the encryption problem is to use a secure messaging platform. Secure messaging platforms adhere with the HIPAA encryption requirements by encrypting PHI both at rest and in transit – making it unreadable, undecipherable and unusable if a communication holding PHI is intercepted or accessed without permission. These secure messaging solutions not only comply with HIPAA email encryption requirements, they also adhere with the requirements for access control, audit controls, integrity controls, and ID authentication.