Open in app

Sign in

Write

Sign in

HIPAA FAQ: Encryption

Rook Security
SECOPS
Published in
2 min readFeb 17, 2015
SIGABA-patent

This series of blog posts features FAQs regarding the HIPAA Security Rule.

Is encryption required under the HIPAA Security Rule?

The HIPAA security rule references encryption in the following two implementation specifications of the technical safeguards:

  • Access Control § 164.312(a)(2)(iv) Encryption and Decryption — Implement a mechanism to encrypt and decrypt electronic protected health information.
  • Transmission Security § 164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Both of these implementation specifications are not required and therefore addressable under the regulation. I will cover the specifics of addressable in my next post, but a large portion is compensating controls to address the risk.

§ 164.312(a)(2)(iv) Encryption and Decryption guidance states if information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (i.e., translate) the text and convert it into plain, comprehensible text. Due to so many breaches being attributed to loss and theft of devices, this has been often implemented with whole disk encryption of client workstations, laptops and removable media. Rarely will this specification be implemented in the data center. I think this will change in light of the recent breaches at CHS and Anthem.

Transmission Security § 164.312(e)(2)(ii) speaks to the interchange of data utilizing the public internet. It is often implemented by encrypting the channel using dedicated VPNs or browser initiated TLS sessions. If a secure channel cannot be leveraged then the payload is often encrypted utilizing public key encryption. This has been a long standing tradition in information security and this specification is generally understood and implemented. Where the standard is often overlooked is in email. The use of email in the modern workplace has lulled users into a false sense of security making them believe sending ePHI by email is protected.

The key takeaway is while encryption may not be “required” by the HIPAA security rule, it must be implemented to safeguard ePHI from modern threats.

Additional Resources

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

General Security
FAQ
Healthcare
Hipaa
Infosec

--

--

SECOPS
SECOPS

Published in SECOPS

64 Followers
Last published Jun 30, 2017

Intel, briefing, methods and tactics by digital security operators… for operators.

Rook Security
Rook Security

Written by Rook Security

447 Followers
856 Following

Global provider of IT security solutions protecting against dynamic, emerging threats. -- Inc. 500 Company in 2014.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams