Understanding HIPAA Encryption Requirements

Updated: Feb 27


The rules regarding HIPAA encryption requirements have been a source of confusion for many organizations. The reason for this may be in the rule’s use of the word “addressable requirements” when referring to the technical safeguards that relate to the encryption of Protected Health Information (PHI). With regard to data transmission security, HIPAA encryption requirements state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate”. This guidance is seen by many as vague and confusing as it can be interpreted in a number of ways.


Defining Encryption

Encryption refers to the process of turning your data or written text/PHI into unreadable text through the use of software or algorithms. Once encrypted, this text can only be decrypted through a key that will make it readable again. The HIPAA encryption requirements are in place to protect your data, even in the event of a breach or theft. Proper encryption will render the data useless to anyone who obtains it unlawfully or without consent.


Data at Rest v Data in Motion

Any data stored in an electronic format being on a device is Data at Rest. Data is considered to be “at rest” whenever it is not being transferred between endpoints. In contrast, any data in the process of being transferred is Data in Motion. This includes data sent via email, for example.


What Encryption Safeguards Against

The goal of encryption under HIPAA rules is to secure a patient’s sensitive information tp protect against data breaches. However, proper encryption also protects against:


  • Device theft– The device is stolen, but the data is unreadable

  • Email breaches – Part of end-to-end encryption for data in motion

  • Ransomware –Helps protect you from the high cost of ransom

  • Spyware – Spying is useless when the data is not readable


How Should You Address Encryption?

HIPAA encryption requirements are intentionally vague and open to interpretation. This is because the original Security Rule was enacted with the knowledge that technology advances, over time, will force a degree of flexibility. In other words, appropriate encryption standards for today, may be inappropriate in the future. Given this, the rule did not demand that organizations implement security controls that could soon be outdated. Instead, HIPAA encryption requirements are “technology neutral”, thus allowing covered entities to select an appropriate solution for their own circumstances.


The Risk of Ignoring Encryption

Failure to encrypt PHI, wither at rest and in transit, could result in a HIPAA violation penalty from the HHS’ Office for Civil Rights. Many covered entities have already been fined for their failure to provide sufficient safeguards for their sensitive data.


LMS Portals for HIPAA Employee Training

LMS Portals provides a powerful cloud-based platform for eLearning. Our system offers full branding and customization to allow our healthcare clients to deliver online training to their employees in critical areas, such as data encryption.


Contact us to run your HIPAA Training on Your Own Branded eLearning Portal

Get Started for Free!

10 views