Complying with HIPAA Encryption Standards; What You Need to Know

The Yes or No Question: Have you encrypted your ePHI data at rest and in transit?

Have you encrypted your electronic protected health information (ePHI) data at rest (being stored in persistent storage) and in transit (flowing from one point to another, whether it be the over the internet or a private network)?

If your answer is “Yes”, you’re compliant with the HIPAA encryption standard and therefore covered by the Safe Harbor Rule in case of a breach. This means you’re not required to report the breach should one occur.

If your answer is “No”, there are a few things you should know about HIPAA to ensure you’re compliant with the encryption standard.

This post tells you what you need to know about successfully complying with HIPAA encryption standards to protect ePHI.

Is the HIPAA Encryption Standard Required?

Currently under HIPAA, the encryption standard is classified as an addressable implementation, not a required implementation. The question you may be asking yourself is, “Does this really mean ePHI data must be encrypted at rest and in transit?”

The answer is yes. 

According to Deven McGraw, former Deputy Director of Health Information Privacy at the Department of Human and Health Services (HHS), an addressable specification does not mean it is optional.

“Addressable does not mean, ‘well, maybe if I can get around to it,’” said McGraw. “’Addressable’ means we expect you to do this. You must address encryption of data at rest and in transit.”¹

With that question answered, let’s move to what is required for successfully complying with HIPAA encryption standards.

Encrypting ePHI at rest and in transit can be expensive; however, it serves two purposes:

1. You’ll be compliant with the HIPAA encryption standard.
2. You’ll be protected under the Safe Harbor Rule in the event of a breach.

This is because the Breach Notification Rule only applies to unsecured protected health information. As a result, by encrypting ePHI, protected health information becomes secure.

Related Reading: Case Study: CTS Software Gains Confidence and Credibility with HIPAA Certification

The best method to ensure you’re compliant with the HIPAA encryption standard is by following these steps:

1. Implement encryption on all devices that store or have access to ePHI.
2. Implement encryption for the transmission of ePHI when using unsecure methods such as email and removable media (USB flash drives, external hard drives, etc.).
3. Implement encryption for ePHI data at rest and in transit.
4. Stay up to date with current Federal and state legislation regarding breach notification requirements including encrypted data.
5. Maintain proper response and reporting for employees who are sending unencrypted ePHI.
6. Know and follow your corporate policies and procedures.

The Office for Civil Rights (OCR) does not specify HIPAA encryption requirements, but covered entities can find out more about encryption from the National Institute of Standards and Technology (NIST) – See SP 800-45 Version 2. NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption

When it comes to HIPAA, “addressable” does not mean “optional”. While the encryption standard is classified as an addressable implementation, HIPAA fully expects it to be done.

Understanding HIPAA compliance during the Covid-19 outbreak can be difficult. Our team of HIPAA compliance experts stand ready to answer your questions.