Have you encrypted your electronic protected health information (ePHI) data at rest (being stored in persistent storage) and in transit (flowing from one point to another, whether it be over the internet or a private network)?
If your answer is “Yes”, you’re compliant with the HIPAA encryption standard and therefore covered by the Safe Harbor Rule in case of a breach. This means you’re not required to report the breach should one occur.
If your answer is “No”, there are a few things you should know about HIPAA to ensure you’re HIPAA compliant.
This post tells you what you need to know about successfully complying with HIPAA encryption requirements to protect ePHI.
Currently, under HIPAA, the encryption standard is classified as an addressable implementation, not a required implementation. The question you may be asking yourself is, “Does this really mean ePHI data must be encrypted at rest and in transit?”
The answer is yes.
According to Deven McGraw, former Deputy Director of Health Information Privacy at the Department of Human and Health Services (HHS), an addressable specification does not mean it is optional.
“Addressable does not mean, 'well, maybe if I can get around to it,'” said McGraw. “'Addressable' means we expect you to do this. You must address encryption of data at rest and in transit."1
With that question answered, let’s move to what is required for successfully complying with HIPAA encryption standards.
Encrypting ePHI at rest and in transit can be expensive; however, it serves two purposes:
This is because the Breach Notification Rule only applies to unsecured protected health information. As a result, by encrypting ePHI, protected health information becomes secure.
Related Reading: Case Study: CTS Software Gains Confidence and Credibility with HIPAA Certification
The best method to ensure you’re compliant with the HIPAA encryption standard is by following these steps:
The Office for Civil Rights (OCR) does not specify HIPAA encryption requirements, but covered entities can find out more about encryption from the National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. NIST recommends the use of Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption
When it comes to HIPAA, “addressable” does not mean “optional”. While the encryption standard is classified as an addressable implementation, HIPAA fully expects it to be done.
Understanding HIPAA compliance during the Covid-19 outbreak can be difficult. Our team of HIPAA compliance experts stand ready to answer your questions.
With Avertium, you get more rigor, more relevance, and more responsiveness. Don’t just comply, download our guide to HIPAA compliance today and show no weakness.