Do we need encryption? It's simple question, but unfortunately the answer isn't as easy. Health and Human Services (HHS) technically says encryption falls under an implementation specification that's "addressable". So, no it might not be required, but it must be considered. We're seeing more practices regularly using it to encrypt data on storage devices and for securely transmitting PHI to other covered entities or for insurance claims.
HHS identifies implementation specifications as either "required" or "addressable". "Required" means mandatory compliance. Failing to implement these means your violating the HIPAA Security Rule.
The following are all "Required" implementation specifications;
- Administrative Safeguards - Security Management Process - Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review. Assigned Security Responsibility, Information Access Management - Isolating Healthcare Clearinghouse Functions. Security Incident Procedures - Response and reporting. Contingency Plan - Backup Data Plan, Disaster Recovery Plan, Emergency Mode Operations Plan. Evaluation, Business Associate Contracts and Other Arrangements.
- Physical Safeguards - Workstation Use, Workstation Security, Device and Media Controls - Disposal, Media Re-use.
- Technical Safeguards - Access Controls - Unique User Identification, Emergency Access Procedure. Audit Controls, Person or Entity Authentication.
"Addressable" implementation specifications allow for some flexibility. They need to be considered, but not necessarily implemented. In other words, you're required to implement, find an alternative that accomplishes the same objective or consider and don't implement. These allow for
The following are all "Addressable" implementation specifications;
- Administrative Safeguards - Workforce Security - Authorization and/or supervision, Workforce Clearance and Termination Procedures. Information Access Management - Access Authorization, Access Establishment and Modification. Security Awareness and Training - Security Reminders, Protection from Malicious Software, Log-in Monitoring, Password Management. Contingency Plan - Testing and Revision Procedures, Application and Data Criticality Analysis.
- Physical Safeguards - Facility Access Controls - Contingency Operations, Facility Security Plan, Access Control and Validation Procedure, Maintenance Records. Device and Media Control - Accountability, Data Backup and Storage.
- Technical Safeguards - Access Controls - Automatic Logoff, Encryption and Decryption. Transmission Security - Integrity Controls, Encryption.
Keep in mind, HIPAA is supposed to be flexible and scalable, so what's appropriate for a single doctor practice more than likely wouldn't be enough for a large medical center.
So encryption might not be required, but it's affordable and easy, and it's a safeguard that guarantees that the information can only be viewed or used by the intended recipient. Facilities need to demonstrate that they did everything they could to secure their patients' PHI.
By the way, our HIPAA Security Manual addresses every required and addressable component listed above. Employee training should be documented on a regular basis.
"An ounce of prevention is worth a pound of cure." - Benjamin Franklin
Benjamin Franklin's quote is pretty simple, a little precaution before a crisis occurs is preferable to a lot of fixing up afterward. Nobody plans on a loss of information, a breach, a complaint, a random audit or any other scenario that could result in HHS requesting your HIPAA policies and other records.