Is Encryption Essential in HIPAA Compliance?

  • 1.
    What is encryption?

    “Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula).”

    Source: The Health and Human Services (HHS)

    Encryption is one of the various ways to protect data. This technology is highly beneficial for healthcare professionals and healthcare businesses in safeguarding electronic Protected Health Information (ePHI) against breaches.

    Unauthorized persons, including cyber actors, can exploit vulnerabilities of your computers and other devices, rendering any unprotected data defenseless. Ransomware is one of the unrelenting threats facing many organizations, including the healthcare industry. Cybercriminals withhold data and threaten to permanently destroy ePHI or sell individually identifiable information (IIHI) in cyber black market unless millions of dollars in ransom are paid. Several healthcare organizations are caught unprepared, with operations and services severely disrupted.

    Because of all these risks, encryption is crucial to protect data. When data is encrypted, only the person or party who has the decrypt key will be able to convert or translate the text into plain comprehensible text.

The Encryption Process
  • 2.
    Is encryption relevant in HIPAA Security Standards?

    The short answer is YES!

    Encryption is mentioned twice as a specification in HIPAA Security Standards, Technical Safeguards.

    These are (1) “Encryption and Decryption” as an addressable specification under Access Control; and (2) “Encryption” as an addressable specification under Transmission Security.

  • 2.1.
    Encryption and decryption specification description in Access Control:
    [§ 164.312(a)(2)(iv)]

    The specification states that Covered Entities and Business Associates should “implement a mechanism to encrypt and decrypt electronic protected health information.”

    The ePHI described in this specification refers to that of stored data. These are your patient’s health records and other individually identifiable information (IIHI) that are stored in your organization’s digital devices, such as desktop computers, laptops, tablets, and others.

  • 2.2.
    Encryption specification description in Transmission Security:
    [§ 164.312(e)(2)(ii)]

    According to this specification, Covered Entities and Business Associates need to “implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

    Electronic Protected Health Information in this specification refers to “data in motion” or data being transmitted. An example is when a healthcare provider’s office sends a patient’s medical records, including laboratory results, via email to another party requesting said files.

    The transmitted ePHI can be intercepted or accessed by unauthorized persons. This can result from several factors such as network failures, unsafe file-sharing platforms, human error (e.g., sending to an incorrect email address), and more.

    Transmission of ePHI is an essential part of patient services and healthcare-related administrative functions. The HIPAA Security Rule allows the transmittal of ePHI as long as it is adequately protected. One of the ways to safeguard “data in motion” is through encryption.

  • 3.
    Steps to encryption overview.

    Whether a healthcare provider’s office or a healthcare organization decides to utilize a self-service encryption technology or hire a contractor for encryption of their systems and devices, a brief overview on how to get started and what to expect is helpful. See the image below for your reference.

Steps to Encryption