HIPAA Security Rule

The decision to use encryption of ePHI as a safeguard depends on several factors.  The HIPAA Security Rule allows safeguarded electronic PHI transmission. After a careful analysis of their system, an organization may decide that Encryption of ePHI as a safeguard is in their best interest.  The healthcare provider may then decide to use encryption as the means of protection of sensitive ePHI. 

They defined the encryption standard as an addressable requirement and can be confusing.  Consequently, if it is a reasonable and appropriate safeguard for the protection of ePHI it should be implemented. The entity may determine it is the best safeguard in its risk management of the confidentiality integrity and availability of ePHI.  Consequently, an organization should consider the use of this and implement it in its management of ePHI.  Eventually, the entity must document this in the plan.

No Specific Requirements

When they enacted the Security Rule they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards.  It is up to the organization to do a careful risk assessment.   Based on this they may create the appropriate mechanism to protect ePHI.  Presently the use of encryption of ePHI is an effective tool.  It is a good safeguard for the safe transmission of email and texts through the cloud.  In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.

Alternative to Encryption

A health care provider may determine that encryption isn’t reasonable and appropriate based on its security risk assessment.   They may then present their alternative to protect ePHI.  They may also decide to do neither and determine the standard may otherwise be met.  The provider should document its reasons for its decision.

For More Information