Like much of HIPAA regulation, the requirements for encryption are a source of confusion. This is largely due to wording; the encryption safeguards needed to maintain the integrity of Protected Health Information (PHI) are seen as “addressable” requirements. This term, for many, is frustratingly vague.
HIPAA also stipulates that covered entities (CEs) and their business associates should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This statement does frustratingly little to clarify the situation.
Perhaps counter-intuitively, the phrase “addressable safeguard” does not mean that the encryption requirement can be selectively ignored. Instead, it means that if the CE finds that there is an alternative safeguard that could provide the same level of protection they may implement that instead. This decision should be justified through risk assessments.
It may not always be necessary to use encryption to protect patient PHI. If the data is only being communicated on an internal server within the CE’s firewall, there is no risk to the PHI from an outside party.
However, once the PHI data goes outside the CE’s firewall, it must be protected. Here, encryption becomes and “addressable requirement”. Any message that contains patient data must be protected unless the patient has given their permission for PHI to be used without encryption.
Despite being a source of frustration, the reasoning behind the vagueness of the HIPAA encryption requirements is simple. Back when the Security Rule was being drafted, the writers predicted that technology used to protect data would quickly advance. Thus, if they laid down specific rules, they could quickly become out-of-date and inadequate. Additionally, new means of communicating data may be invented that require completely different means of protection.
Thus, the Department of Health and Human Services – who oversee the enforcement of HIPAA legislation – decided to leave the Security Rule “technology-neutral”. This means that, rather than instructing CEs to implement technologies that will quickly be outdated and thus having to regularly update the legislation itself, CEs can update their own safeguards.
The need for encryption covers every level of electronic communication, from text messages to emails to Cloud storage services.
HIPPA covered entities are only permitted to share PHI over email if the email service is adequately protected. Many CEs will thus choose to encrypt emails, though may opt for an alternative means of protection based on their own risk analysis. This will identify the main threats to the integrity and confidentiality of PHI, whilst still ensuring it is accessible to those that need it.
Whatever the outcome, it must be justified in a risk management plan. This information, along with details of how the protection – encryption or otherwise – is enacted must also be carefully documented. This is so that, if a PHI breach occurs and the Office for Civil Rights needs to conduct an investigation, it can do so.
Though the OCR does not lay out clear requirements for HIPAA email encryption, it does stipulate that emails must comply with National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. The NIST, in turn, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
It is estimated that around 80% of healthcare professionals will use personal mobile devices in their daily work routine. This makes it very difficult for CEs and their business associates to ensure continued protection of patient data. Yet abandoning Bring Your Own Device (BYOD) policies will likely be very costly for organisations and impede workflow.
Recent developments in privacy and security technology mean that there is potential solution to these problems. “Secure Messaging Solutions” protect data both at rest and in transit between devices. It also encrypts data, making it undecipherable if it is intercepted by an unauthorised third party at any stage. Many such applications also require ID authentication and have various levels of integrity control.