Mimecast: Encryption Requirements for HIPAA Compliance
NEW YORK, September 1, 2022 (Newswire.com) - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring the creation of national standards to prevent the disclosure of sensitive patient information without their consent or knowledge. As such, several encryption requirements are in place to comply with HIPAA. However, owing to the wording which requires encryption to be an "addressable" requirement, there is some confusion over the exact nature of the appropriate levels of encryption.
HIPAA also states that covered entities (CEs) and business associates should "implement" a mechanism to encrypt personal health information whenever deemed appropriate, which is also a little vague. So, when are businesses required to encrypt to meet HIPAA requirements?
When to Encrypt?
Although the wording may be vague, it is also clear that encryption is a major requirement of HIPAA compliance, and businesses should therefore err on the side of caution. Risk assessments should be carried out and decisions around encryption need to be justified to provide the highest possible levels of security at all times.
Encryption may not always be required when information is only being transferred within an organization's firewall, as this prevents access to unauthorized parties. However, suppose sensitive patient information is transmitted beyond this firewall. In that case, it must be encrypted in order to meet the required level of compliance — unless a patient has given permission for the information to remain unencrypted. This is what is meant by an "addressable safeguard" in the HIPAA text wording.
How to Address Encryption Issues
One of the key reasons for the deliberately vague wording of the HIPAA text was that the authors did not want to be too prescriptive about the required technology, as they were aware that this would inevitably change within a few years of coming into law. As such, the bill was written to provide an open scope as to what the requirements would mean going forward — in such a way as to be "technology neutral." However, the implication is that CEs should implement the most appropriate encryption solutions for their individual circumstances, given the technology available to them. As mentioned, this is required to be justified and risk-assessed to provide adequate levels of security.
Encryption requirements must apply to all parts of a CE's IT system, from computer terminals and handheld devices to servers.
HIPAA regulation allows the transmission of personal health information over email provided that this information is adequately protected. CEs should therefore carry out a risk assessment to determine whether encrypted email is necessary to meet the expected levels of security. This assessment should identify the risks to confidentiality and outline a plan to reduce this risk to an appropriate level.
Generally, this will result in the use of encryption for all messaging. However, whatever the decision, all details of the assessment and any alternative protection measures considered must be documented and made available for inspection.
The Benefits of Email Encryption
Due to the proliferation of personal devices in any workplace, many of which staff use to help manage workflow, encryption may be essential in many businesses or organizations. It may be necessary to utilize a secure messaging platform that complies with the HIPAA requirements to prevent unauthorized interception of data. These secure services can only be accessed with the correct authorization and meet requirements in terms of ID authentication, access, and data transfer integrity.