The HIPAA encryption requirements may only cover a few lines of the Security Rule, but – when complied with – they can significantly reduce the likelihood of notifiable data breaches and the financial consequences of other Security Rule violations.
What are the Two HIPAA Security Rule encryption requirements?
The first of the two HIPAA Security Rule encryption requirements appears in the “access controls” standard (45 CFR §164.312(a)(1)). This requires Covered Entities and Business Associates to “implement a mechanism to encrypt and decrypt electronic Protected Health Information (ePHI)” so only users or software programs that have been granted access rights can access ePHI.
The inclusion of a HIPAA encryption requirement in the access controls standard can be a little confusing when taken out of context. However, if you put the requirement into the context of the Security Rule as a whole, its purpose is to ensure ePHI is unreadable, undecipherable, and unusable to any person or software program that has not been granted access rights.
The second HIPAA Security Rule requirement (45 CFR §164.312(e)(2)) requires Covered Entities and Business Associates to implement encryption to guard against unauthorized access to ePHI transmitted over a communications network. This is because there are multiple points during a transmission at which a communication could be intercepted and accessed without authorization.
Additionally, copies of communications containing ePHI can remain on ISPs’ servers and cell phone routers for many years. If a server or router is subsequently hacked, any unencrypted ePHI would be accessible to hackers – possibly well after any medical information contained in the communication has been deleted at the sender’s end because it has passed its legally required retention period.
The HIPAA Encryption Requirements are “Addressable”
Rather than mandate encryption must be used to safeguard the confidentiality and integrity of electronic Protected Health Information (ePHI) at rest and in transit, both implementation specifications in the Security Rule’s Technical Safeguards are “addressable” – meaning that there are circumstances in which encryption does not have to be implemented.
These circumstances exist when it is not “reasonable and appropriate” to secure data with encryption because it is unlikely to protect ePHI as well as other safeguards which are equally effective and already exist. While it is difficult to think of a safeguard as effective as encryption for making ePHI unreadable, undecipherable, and unusable, HIPAA is deliberately technology neutral.
If a Covered Entity or Business Associate opts not to comply with the HIPAA encryption standards, it must be documented why an alternative solution was considered to be equally as effective as encryption at securing ePHI from unauthorized access. Furthermore, encryption is not the only addressable implementation specification in each of the standards they appear in.
Both the access controls standard and the transmission security standard contain other addressable implementation specifications which, if taken individually, might not be “reasonable or appropriate”. However, when combined with the HIPAA encryption requirements, most Covered Entities and Business Associates find it easier to comply with all addressable implementation specifications.
HIPAA Compliant Email Encryption Software
HIPAA compliant email encryption software is a good example of when it is easier to comply with addressable implementation specifications than try to find a workaround. For example, it is possible to prevent unauthorized access to ePHI in an email by using a VPN. However, this means that every sender and every recipient would have to have controlled access to the same VPN.
With regards to ease of use, HIPAA compliant email encryption software not only encrypts the text content of emails, but also any files or images attached to the email. The software also complies with another addressable transmission security implementation specification – the requirement to implement integrity controls to prevent the unauthorized alteration or deletion of an email.
Furthermore, you can take encryption compliance a stage further by implementing a HIPAA compliant email archiving service alongside the email encryption software. Archiving services that take copies of emails as they pass through the mail server are the best options as they store each copy in a read-only format to ensure the original version of any email is always available.
It is important to be aware that whatever solution, software, or service is implemented to comply with the HIPAA encryption requirements is done so under a Business Service Agreement. Even when software vendors cannot access ePHI because it is encrypted, HHS’ Office for Civil Rights considers software vendors to have “persistent access” to ePHI rather than “transient access”.
The Benefits of Implementing the HIPAA Encryption Standards
There are two primary benefits of implementing the HIPAA encryption standards. The first is that, if a data breach occurs, but the data accessed, stolen, or corrupted in the data breach is encrypted, the event is not a notifiable data breach. The Breach Notification only requires breaches on unsecured ePHI to be notified to affected individuals and HHS’ Office for Civil Rights.
The second benefit of implementing the HIPAA encryption standards is that it demonstrates a good faith effort to comply with HIPAA. In 2021, a change to the HITECH Act (HR 7898) gave HHS’ Office for Civil Rights the authority to exercise enforcement discretion when investigating HIPAA violations if organizations can demonstrate compliance with a recognized security framework.
Although encryption by itself may not impress HHS inspectors sufficiently to waive a penalty for a HIPAA violation, it could contribute to a reduction in the penalty amount, the length of a corrective action plan, or the extent of an audit. If compliance with the HIPAA encryption standards is among a number of other security mechanisms, it may be the case HHS takes no action at all.
Additionally, when an organization experiences fewer notifiable breaches of unsecure ePHI, this improves the organization’s compliance history with HHS’ Office for Civil Rights. This is one of several factors taken into account when HHS calculates penalties for HIPAA violations – another being a good faith effort to comply with HIPAA via the HIPAA encryption requirements.
HIPAA Encryption Requirements: FAQs
What are the alternatives to the HIPAA encryption requirements?
The alternatives to the HIPAA encryption requirements include implementing measures similar to encryption – such as pseudonymization. However, in order to implement alternatives to the HIPAA encryption requirements, it may be necessary to reconfigure every piece of software that creates, maintains, uses, or transmits ePHI so the software is compatible with the measure. In most cases, this will create more disruption than implementing the HIPAA encryption requirements.
What is HIPAA compliant email encryption?
HIPAA compliant email encryption is a service provided by many email service providers that enables users to send and receive encrypted emails containing ePHI. However, subscribing to such a service does not guarantee HIPAA compliance. It is important that the service is configured correctly, that users are trained in how to use the service compliantly, and that a Business Associate is signed with the email service provider.
What are the HIPAA encryption standards in the Security Rule?
The HIPAA encryption standards in the Security Rule are 45 CFR §164.312(a)(1) and 45 CFR §164.312(e)(2). The first of the standards requires Covered Entities and Business Associates to “implement a mechanism to encrypt and decrypt electronic Protected Health Information (ePHI)” so only users or software programs that have been granted access rights can access ePHI at rest.
The second standard requires Covered Entities and Business Associates to implement encryption for ePHI in transit so data is unreadable, undecipherable, and unusable if a communication is intercepted during transmission or accessed via a compromised transport server. Both of these HIPAA encryption standards are addressable implementation specifications that must be implemented unless an equally effective alternative is used, or the standard is inappropriate.
What are the HIPAA email encryption requirements?
The HIPAA email encryption requirements are that – if a Covered Entity sends ePHI in or attached to an email – the email should be encrypted at rest (while maintained on a server) and in transit (when moving between servers). Additionally, if using a third party email service provider, it is necessary to enter into a Business Associate Agreement with the email service provider.
Is there a HIPAA compliant encryption standard?
There is not a HIPAA compliant encryption standard because at the time the Security Rule was published, the Department of Health and Human Services acknowledged technologies would advance during the lifetime of the Rule. Since the publication of the Security Rule, the agency has recommended Covered Entities comply with the relevant NIST Standards for each implementation specification. With regards to the HIPAA encryption requirements, the relevant NIST standards are a minimum of AES-128 encryption for data at rest and TLS 1.2 encryption for data in transit.
Is Office 365 HIPAA compliant for email encryption?
Office 365 is HIPAA compliant for email encryption provided organizations subscribe to an Enterprise plan that supports email encryption via an in-scope service and a Business Associate Agreement is signed with Microsoft. Please note Microsoft will not sign organizations’ Business Associate Agreements. Organizations must sign Microsoft’s Business Associate Agreement.
Does HHS recommend any specific HIPAA encryption software?
HHS does not recommend any specific HIPAA encryption software because the Security Rule was designed to be “technology neutral” in order to facilitate the use of the latest and most effective technologies to meet the needs of different healthcare organizations. HHS has commented that any regulatory requirement to implement specific technologies would bind healthcare providers to specific systems and/or software that may be superseded by subsequent technologies.
What email services are capable of HIPAA compliant email encryption?
Many email services are capable of HIPAA compliant email encryption or have a confidentiality feature. However, encryption is not the only consideration with regards to HIPAA compliant emails. To be HIPAA compliant, email services must have auditing capabilities, authentication controls, and support event logs. It is also necessary for the business implementing a HIPAA compliant email encryption service to enter into a Business Associate Agreement with the service provider.