HIPAA Encryption Requirements

HIPAA encryption requirements have proved to be a source of confusion for many HIPAA-covered entities. HIPAA Rules do not demand that encryption is implemented as part of the HIPAA Security Rule, as encryption is only an addressable implementation specification.

Some covered entities have taken ‘addressable’ to mean optional. To a certain extent that is true. HIPAA does not demand that encryption is implemented; however, if a covered entity decides not to encrypt data – at rest or in transit – an alternative safeguard must be used that provides an equivalent level of protection. Simply ignoring HIPAA encryption requirements is not an option.

Before a decision is taken about whether encryption is appropriate, a covered entity must conduct a risk assessment. Based on the results of that risk assessment, a covered entity will be able to determine whether the level of risk warrants the use of encryption. If encryption is not implemented, a covered entity must document the decision, along with the controls that have been used in its place. If documentation cannot be produced, regulators will assume that the specification has not been addressed and will penalize the covered entity appropriately.

The reason that HIPAA encryption requirements are only addressable is due to the legislation being technology neutral. When the HIPAA Security Rule was introduced, it was clear that technology would advance faster than it would be possible to introduce new legislation. Rather than stipulate that a technology should be used – which may become obsolete in a few years – the specific controls that a covered entity must use to safeguard the confidentiality, integrity, and availability of PHI was left to the discretion of the covered entity.

Already, some forms of encryption have been determined not to provide a sufficient level of protection. In order to meet HIPAA encryption requirements, covered entities should consult NIST and follow its guidance on encryption – See NIST Special Publication 800-111 for end user devices, NIST Special Publication 800-52 for Transport Layer Security and NIST Special Publication 800-77 for SSL and VPNs.

When Would Encryption be Appropriate?

If a covered entity only ever accessed PHI via its EMR system, which was not accessible from outside the organization, was protected by a firewall, and had appropriate access controls in place, the covered entity may determine, via a risk assessment, that encryption is not appropriate under the circumstances.

However, if PHI is emailed to business associates, is stored on portable devices such as laptops that are taken home by employees, the risk assessment would likely show a high risk to the confidentiality, integrity, and availability of ePHI. In such situations, the case for encryption would be much stronger.

The same applies to text messages. Text messages are a convenient method of communication, but SMS messages are not secure and cannot be used to communicate PHI. If covered entities wish to take advantage of texting, messages must only be sent via a secure text messaging platform – One that incorporates encryption for all transmitted messages and other safeguards that meet the technical specifications of the HIPAA Security Rule.

What is the Penalty for Not Adhering to HIPAA Encryption Requirements?

The Department of Health and Human Services’ Office for Civil Rights investigates all breaches of more than 500 records. If such a breach occurs and OCR investigators discover a covered entity failed to encrypt PHI, did not use an alternative safeguard that offers an equivalent level of protection, or has ignored HIPAA encryption requirements entirely, a financial penalty may be issued.

The penalty will depend on the seriousness of the HIPAA violation, how many individuals were impacted, the extent to which the covered entity was aware that HIPAA Rules were being violated, and how many other violations were discovered. The maximum penalty for a single violation is $1.5 million. That figure would then be multiplied by the number of years that the violation was allowed to persist.

In 2017, Children’s Medical Center of Dallas settled with OCR for $3.2 million following a breach involving the loss of an unencrypted Blackberry device containing the PHI of 3,800 individuals.