Updated: Feb 27
The rules regarding HIPAA encryption requirements have been a source of confusion for many organizations. The reason for this may be in the rule’s use of the word “addressable requirements” when referring to the technical safeguards that relate to the encryption of Protected Health Information (PHI). With regard to data transmission security, HIPAA encryption requirements state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This guidance is seen by many as vague and confusing as it can be interpreted in a number of ways.
Encryption refers to the process of turning your data or written text/PHI into unreadable text through the use of software or algorithms. Once encrypted, this text can only be decrypted through a key that will make it readable again. The HIPAA encryption requirements are in place to protect your data, even in the event of a breach or theft. Proper encryption will render the data useless to anyone who obtains it unlawfully or without consent.
Data at Rest v Data in Motion
Any data stored in an electronic format being on a device is Data at Rest. Data is considered to be “at rest” whenever it is not being transferred between endpoints. In contrast, any data in the process of being transferred is Data in Motion. This includes data sent via email, for example.
What Encryption Safeguards Against
The goal of encryption under HIPAA rules is to secure a patient’s sensitive information tp protect against data breaches. However, proper encryption also protects against:
Device theft– The device is stolen, but the data is unreadable
Email breaches – Part of end-to-end encryption for data in motion
Ransomware –Helps protect you from the high cost of ransom
Spyware – Spying is useless when the data is not readable
How Should You Address Encryption?
HIPAA encryption requirements are intentionally vague and open to interpretation. This is because the original Security Rule was enacted with the knowledge that technology advances, over time, will force a degree of flexibility. In other words, appropriate encryption standards for today, may be inappropriate in the future. Given this, the rule did not demand that organizations implement security controls that could soon be outdated. Instead, HIPAA encryption requirements are “technology neutral”, thus allowing covered entities to select an appropriate solution for their own circumstances.
The Risk of Ignoring Encryption
Failure to encrypt PHI, wither at rest and in transit, could result in a HIPAA violation penalty from the HHS’ Office for Civil Rights. Many covered entities have already been fined for their failure to provide sufficient safeguards for their sensitive data.
LMS Portals for HIPAA Employee Training
LMS Portals provides a powerful cloud-based platform for eLearning. Our system offers full branding and customization to allow our healthcare clients to deliver online training to their employees in critical areas, such as data encryption.
Contact us to run your HIPAA Training on Your Own Branded eLearning Portal
Get Started for Free!