Like many HIPAA requirements, the requirements for encryption are a source of confusion. This is largely due to the wording of HIPAA. The requirement to maintain the confidentiality and integrity of Protected Health Information (PHI) through encryption is an “addressable” requirement. This term, for many, is frustratingly vague.
HIPAA also stipulates that covered entities (CEs) and their business associates should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This statement does little to clarify the requirement.
Perhaps counter-intuitively, the phrase “addressable safeguard” does not mean that the standard is not required and can be ignored. Instead, it means that if the CE finds that there is an alternative safeguard that could provide the same or greater level of protection, they may implement that measure instead. In such cases, the decision should be justified through a risk assessment and the decision process must be documented.
It may not always be necessary to use encryption to protect patient PHI. If the data is only being communicated within the CE’s firewall, the firewall is a safeguard to prevent unauthorized access by an outside party.
If PHI is transmitted beyond the protection of the firewall, it must also be protected. Here, encryption becomes necessary. Any email message that contains patient data that is sent beyond the firewall should be encrypted, unless the patient has given their permission for PHI to be transmitted without encryption.
Despite being a source of frustration, the reasoning behind the vagueness of the HIPAA encryption requirements is simple. Back when the Security Rule was being drafted, the writers predicted that technology used to protect data would quickly advance. Thus, if they laid down specific rules mentioning certain technologies, they could quickly become out-of-date and inadequate. Additionally, new means of communicating data may be developed that requires completely different means of protection or renders encryption obsolete.
Thus, the Department of Health and Human Services decided to leave the Security Rule “technology-neutral”. This means that, rather than instructing CEs to implement technologies that will quickly be outdated and thus having to regularly update the legislation itself, CEs can implement and update their own safeguards based on the best technology available.
The need for encryption covers every level of electronic communication, from text messages to emails to sending PHI to cloud storage services.
HIPAA covered entities are only permitted to share PHI via email if the email service is adequately protected. Many CEs will thus choose to encrypt emails, though may opt for an alternative means of protection based on their own risk analysis.
Covered entities must ensure that risks identified through the risk analysis are addressed in a risk management plan. If the decision is taken not to encrypt, and other measures are used in place of encryption, this information must also be carefully documented. If a data breach occurs and the Office for Civil Rights conducts an investigation, the documentation will need to be produced.
Though OCR does not lay out clear requirements for HIPAA email encryption, it does stipulate that emails must comply with National Institute of Standards and Technology (NIST) guidelines– See SP 800-45 Version 2. NIST currently recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
It is estimated that around 80% of healthcare professionals use personal mobile devices in their daily work routines. This makes it very difficult for CEs and their business associates to ensure continued protection of patient data. Yet abandoning Bring Your Own Device (BYOD) policies will likely prove to be very costly for organisations and could impede workflow.
Recent developments in privacy and security technology mean that there is a potential solution. “Secure Messaging Solutions” protect data both at rest and in transit between devices. They also encrypt data, making it undecipherable if it is intercepted by an unauthorized third party. These applications incorporate robust authentication controls, integrity controls, and maintain an audit trail, thus satisfying all HIPAA requirements.
These solutions serve as a much more useful alternative to pagers and allow health information, including medical images, to be shared securely between all members of the care team.
Unfortunately, encryption alone is not enough for HIPAA compliance. This is in part due to the varied nature of the threats against the security of PHI. Sometimes, HIPAA violations occur as the result of human error (such as attaching the incorrect file to an email). Some PHI – physical files, for example, or PHI that is verbally communicated – cannot be protected by encryption. Therefore, whilst encryption is necessary to ensure the protection of electronic protected health information, it is not sufficient to ensure HIPAA compliance.
Any device or digital communication that contains protected health information and can be encrypted should be. This is both to protect patient privacy and to prevent any penalties that may be incurred by an individual in the event of a HIPAA breach. For example, an unencrypted laptop containing patient information was stolen from in 2017 which resulted in a $1million fine from the Office for Civil Rights. It is therefore important to ensure any files or means of communication (such as messaging services or emails) are encrypted or have equivalent protections.
The HIPAA Security Rule outlines the minimum administrative, physical, and technical standards needed to protect PHI. The encryption requirements are covered in the technical standards. However, to allow for technological developments, HIPAA classifies encryption as an “addressable” safeguard, meaning that it is not absolutely necessary if an alternative that provides equivalent protection is available.
HIPAA stipulates that all PHI (and, relatedly, electronic PHI) must have adequate protections to prevent it being shared and used by unauthorized individuals. PHI contains very sensitive information, and if it got into the wrong hands, it could lead to identity theft, medical fraud, or have other severe consequences for the patient. It is for this reason that HIPAA stipulates that encryption – or other equivalent security protocols – is used for all digital health records that contain PHI. If no such safeguards are in place, it is a HIPAA violation.