Like many HIPAA requirements, the requirements for encryption are a source of confusion. This is largely due to the wording of HIPAA. The requirement to maintain the confidentiality and integrity of Protected Health Information (PHI) through encryption is an “addressable” requirement. This term, for many, is frustratingly vague.
HIPAA also stipulates that covered entities (CEs) and their business associates should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This statement does little to clarify the requirement.
Perhaps counter-intuitively, the phrase “addressable safeguard” does not mean that the standard is not required and can be ignored. Instead, it means that if the CE finds that there is an alternative safeguard that could provide the same or greater level of protection, they may implement that measure instead. In such cases, the decision should be justified through a risk assessment and the decision process must be documented.
It may not always be necessary to use encryption to protect patient PHI. If the data is only being communicated within the CE’s firewall, the firewall is a safeguard to prevent unauthorized access by an outside party.
If PHI is transmitted beyond the protection of the firewall, it must also be protected. Here, encryption becomes necessary. Any email message that contains patient data that is sent beyond the firewall should be encrypted, unless the patient has given their permission for PHI to be transmitted without encryption.
Despite being a source of frustration, the reasoning behind the vagueness of the HIPAA encryption requirements is simple. Back when the Security Rule was being drafted, the writers predicted that technology used to protect data would quickly advance. Thus, if they laid down specific rules mentioning certain technologies, they could quickly become out-of-date and inadequate. Additionally, new means of communicating data may be developed that requires completely different means of protection or renders encryption obsolete.
Thus, the Department of Health and Human Services decided to leave the Security Rule “technology-neutral”. This means that, rather than instructing CEs to implement technologies that will quickly be outdated and thus having to regularly update the legislation itself, CEs can implement and update their own safeguards based on the best technology available.
The need for encryption covers every level of electronic communication, from text messages to emails to sending PHI to cloud storage services.
HIPAA covered entities are only permitted to share PHI via email if the email service is adequately protected. Many CEs will thus choose to encrypt emails, though may opt for an alternative means of protection based on their own risk analysis.
Covered entities must ensure that risks identified through the risk analysis are addressed in a risk management plan. If the decision is taken not to encrypt, and other measures are used in place of encryption, this information must also be carefully documented. If a data breach occurs and the Office for Civil Rights conducts an investigation, the documentation will need to be produced.
Though OCR does not lay out clear requirements for HIPAA email encryption, it does stipulate that emails must comply with National Institute of Standards and Technology (NIST) guidelines– See SP 800-45 Version 2. NIST currently recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
It is estimated that around 80% of healthcare professionals use personal mobile devices in their daily work routines. This makes it very difficult for CEs and their business associates to ensure continued protection of patient data. Yet abandoning Bring Your Own Device (BYOD) policies will likely prove to be very costly for organisations and could impede workflow.
Recent developments in privacy and security technology mean that there is a potential solution. “Secure Messaging Solutions” protect data both at rest and in transit between devices. They also encrypt data, making it undecipherable if it is intercepted by an unauthorized third party. These applications incorporate robust authentication controls, integrity controls, and maintain an audit trail, thus satisfying all HIPAA requirements.
These solutions serve as a much more useful alternative to pagers and allow health information, including medical images, to be shared securely between all members of the care team.