The HIPAA encryption requirements are addressable implementation specifications that must be applied unless equally effective alternatives are used in their place, or a risk assessment determines that the requirements are unnecessary. However, it is difficult to find equally effective alternatives to the HIPAA encryption requirements for protecting the confidentiality and integrity of ePHI at rest and in transit.
The HIPAA encryption implementation specifications – often referred to as the HIPAA encryption requirements – can be found in the Technical Safeguards of the Security Rule. There are two implementation specifications relating to encryption which respectively have the objectives of rendering ePHI unreadable, undecipherable, and unusable:
Both implementation specifications are tagged as “addressable”. This does not mean encryption is not required. Instead, it means that if an alternative measure can provide the same or greater level of protection to EPHI, that measure can be implemented instead. In such cases, the decision should be justified through a risk assessment and the decision process documented.
The reason the HIPAA encryption requirements are addressable is that the Security Rule is deliberately technology neutral. This is because at the time the Security Rule was published, it was acknowledged that threats to ePHI are constantly evolving – as are the technologies to counter threats to ePHI. Therefore, the Security Rule has a “flexibility of approach” clause, and many of the standards in the Security Rule require implementations that are “reasonable and appropriate”.
With regards to the HIPAA encryption requirements, an example of when encryption might not be reasonable and appropriate is if a Covered Entity only communicates ePHI internally behind a firewall and/or via a VPN (most of which use encryption anyway). Any provider-patient communications containing ePHI can be sent without communications being encrypted, provided the patient has been warned about the risks of unencrypted email and has nonetheless agreed to receive them.
However, when looking at alternatives to the HIPAA encryption requirements, it is important to be aware that not all encrypted channels of communication are HIPAA compliant. One such example is WhatsApp – which although providing end-to-end encryption lacks many of the other technical safeguards required by HIPAA (user authentication, event logs, integrity controls, etc.). For this reason, Meta – WhatsApp’s parent company – will not enter into a Business Associate Agreement.
There are several good reasons why Covered Entities and Business Associates should comply with the HIPAA encryption standards. The first is that a breach of encrypted ePHI is not a notifiable event under the Breach Notification Rule. This is because, if ePHI is unreadable, undecipherable, and unusable, it cannot be considered to have been compromised by a third party to commit identity theft or insurance fraud. The difference this makes can be significant:
Therefore, complying with the HIPAA encryption standards can reduce the number of notifiable data breaches and improve a provider’s compliance history – reducing the administrative burden of sending notifications, organizing credit monitoring (if appropriate), and avoiding compliance investigations. Additionally, a provider’s compliance history is one of the factors considered when HHS calculates penalties for other types of HIPAA violations (i.e., patient access violations).
The second reason to comply with the HIPAA encryption standards is that, in January 2021, Congress passed HR 7898. This bill included an amendment to the HITECH Act which gave HHS’ Office for Civil Rights enforcement discretion when a Covered Entity or Business Associate can demonstrate at least twelve months compliance with a recognized security framework consistent with the objectives of the HIPAA Security Rule (i.e., a framework developed under section 2(c)(15) of the NIST Act).
Complying with the HIPAA Security Rule encryption requirements by themselves may not be sufficient for HHS’ Office for Civil Rights to considering waiving or reducing the penalty for a HIPAA violation – or the extent and length of a Corrective Action Plan. However, by implementing the HIPAA Security Rule encryption requirements as part of a recognized security framework, HHS may view the encryption “element” as a good faith effort to comply with HIPAA and may take no action at all.
Although being technology neutral, HHS has published guidance on what it considers to be HIPAA compliant encryption. The guidance links to publications issued by NIST (the National Institute of Standards and Technology) relating to the encryption of ePHI at rest (SP 800-111), the encryption of ePHI in transit (SP 800-52), and communicating ePHI remotely via an encrypted VPN (SP 800-113).
While these encryption standards have not been promulgated by an amendment to the Security Rule, the implication is that any encryption processes that are weaker than those in the NIST publications are not suitable for protecting the confidentiality and integrity of ePHI and are therefore non-compliant. Covered Entities and Business Associates unsure about whether their encryption solutions meet the HIPAA encryption requirements should seek professional compliance advice.
Encryption alone is not enough to safeguard PHI. This is due to the varied nature of the threats against the security of PHI. Sometimes, HIPAA violations can occur as the result of human error (such as attaching the incorrect file to an email), while not all PHI can be protected by encryption – e.g., physical paper files and verbal communications. Therefore, although encryption is the best way to ensure electronic PHI is unreadable, indecipherable, and unusable when accessed without authorization, encryption alone is not enough to safeguard PHI.
The services that should be encrypted include any device or digital communication that contains electronic PHI. This is to protect patient privacy and to mitigate the likelihood of penalties being incurred in the event of a data breach. It is important to ensure any files or means of communication (such as messaging services or emails) are encrypted or have equivalent protections.
The HIPAA Rule that covers encryption requirements is the Security Rule – specifically 45 CFR §164.312(a)(1) and 45 CFR §164.312(e)(2) of the Technical Safeguards. Although both implementation specifications relating to encryption in these standards are “addressable” rather than “required”, they must be implemented unless a measure with equivalent protection is used instead, or there is a documented (and justifiable) reason why encryption is not necessary.
If PHI is unencrypted, it is not an automatic HIPAA violation. Only electronic PHI has to be encrypted – and only then if there is no alternative measure implemented OR if there is a justifiable reason for not implementing encryption. If no alternative measure is implemented or there is no justifiable reason for not implementing encryption, unencrypted electronic PHI is an automatic HIPAA violation, even if no data breach occurs.
The HIPAA encryption requirements protect electronic PHI from being disclosed when data is accessed by an unauthorized third party. However, unauthorized third parties may find other ways to access readable electronic PHI by pretending to be an authorized user – for example, by a brute force attack on a weak password or by phishing a user’s login credentials. Therefore, it is important not to consider encryption as a stand-alone measure, but as part of a multilayered defense.
It is necessary to sign a Business Associate Agreement with a HIPAA compliant email encryption service because – according to HHS’ Office for Civil Rights – the service provider has “persistent access” to emails even if the service provider cannot access the content of the emails because it does not have access to the decryption key.
It can be difficult to apply the HIPAA email encryption requirements to communications with patients if a patient does not use a service that decrypts emails or is unable to use one. HIPAA allows Covered Entities to send unencrypted emails containing ePHI to patients if patients have expressed a preference to be contacted in this way or have initiated a conversation via email.
However, it is a best practice to alert patients to the risks associated with unencrypted emails and ask for an authorization to communicate ePHI in this way. Both the warning and the authorization should be documented; and, when sending unencrypted emails to patients, the amount of ePHI in the email should be kept to the minimum necessary to achieve the purpose of the email.
HIPAA does not require encryption inasmuch as encryption is not mandatory, but it is strongly recommended. According to HHS guidance, encryption must be implemented if “after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI.” However, the guidance continues:
“If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
HIPAA encryption in transit is when an encrypted document, file, or image containing ePHI is sent electronically from one person to another. From the time the communication leaves the sender’s device until the time it reaches the recipient’s device, the document, file, or image is considered to be “in transit”. The reason the document, file, or image is encrypted is so that, if the communication is intercepted or a transmitting server is hacked, the content of the communication is unreadable without the decryption key.
The encrypted email service provided by Office 365 is HIPAA compliant if it is provided as part of an in-scope Enterprise service and a Business Associate Agreement is signed with Microsoft. However, deploying a HIPAA compliant service and entering into a Business Associate Agreement does not guarantee HIPAA compliance. The service must also be configured correctly and users trained how to use the service compliantly.
No specific HIPAA encryption software is recommended by HHS (the Department of Health and Human Services) because the Security Rule is technology neutral. The neutrality of the Security Rule enables Covered Entities and Business Associates to implement technologies that meet their specific needs - rather than being bound to specific technologies - and update them whenever necessary.
Most email service providers offer email encryption for HIPAA Covered Entities. However, in order to be able to use an email encryption service, it may be necessary to subscribe to an Enterprise Plan or specific level of service. For example, Google will not sign a Business Associate Agreement for Gmail, but will if a Covered Entity subscribes to the Google Workspace and Cloud Identity services.