Breaking Down HIPAA: Health Data Encryption Requirements

Source: HealthIT Security

Health data encryption is becoming an increasingly important issue, especially in the wake of large scale data breaches like Anthem, Inc. and Premera Blue Cross. The HIPAA Omnibus Rule improved patient privacy protections, gave individuals new rights to their health information, and strengthened the government’s ability to enforce the law. However, health data encryption is considered an “addressable” aspect rather than a “required” part of HIPAA.

With close to 90 million Americans potentially having their personally identifiable information exposed in the last few months alone, including PHI in some cases, more people are wondering if enough is being done to keep that data safe. Should health data encryption be required? What exactly determines if an entity incorporated encryption methods into its privacy and security measures?

We’ll take a closer look at what health data encryption is, why it’s beneficial, and how covered entities are currently required to use it.

What is health data encryption?

Health data encryption is when a covered entity converts the original form of the information into encoded text. Essentially, the health data is then unreadable unless an individual has the necessary key or code to decrypt it. This is a good way for electronic PHI (ePHI) to remain secure and ensure that unauthorized individuals are not able to “translate” the data for their own use.

In relation to the HIPAA Privacy Rule and the HIPAA Security Rule, data encryption is a method to protect PHI. In particular, the Security Rule was designed to protect all data that “a covered entity creates, receives, maintains or transmits in electronic form,” according to the Department of Health & Human Services’ (HHS) site.

Why would it be beneficial?

Theft continues to be one of the major causes of healthcare data breaches, including incidents that involve PHI. If a laptop or smartphone falls into the wrong hands, that individual could potentially cause major damage to patients if he or she had access to medical information or financial information. However, if that unauthorized user was unable to read the information on the devices, then some issues could potentially be avoided.

Health data encryption could be an important step in the privacy and security process. However, by itself, it will not be enough. For example, strong malware could break through a covered entity’s database security. From there, cyber attackers could get access to sensitive information, including PHI. Or, if an employee’s login credentials was stolen, an unauthorized user could gain access that way. In either of those examples, it would not necessarily matter if the health data was encrypted or not.

It is also important to consider if data is being encrypted at rest or in motion. For example, using a virtual private network (VPN) or a secure browser connection can be helpful for protecting data in motion. Or, using Transport Layer Security (TLS) could also work in this situation. This is a protocol ensuring there are mechanisms in place to protect and provide authentication, confidentiality and integrity of sensitive data during electronic communication.

Overall, a covered entity needs to ensure that it has comprehensive technical safeguards – that may include data encryption – along with strong administrative safeguards and physical safeguards. One of those measures by itself will not be enough. Health data encryption could be a beneficial addition to a security program, but it would need to be working with other protection measures.

Is data encryption required?

According to HIPAA, encrypting health data is “addressable” rather than “required.” However, this does not mean that covered entities can simply ignore health data encryption. Instead, healthcare organizations must determine which privacy and security measures will benefit its workflow.

“…it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” according to HHS. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”

There are many different encryption methods available as well, so it’s important for covered entities to review their systems and policies to determine if encryption is appropriate, and what kind of encryption to use.

For example, the HHS HIPAA Security Series suggests that covered entities ask themselves the following two questions to help determine if data encryption is appropriate:

  • Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
  • What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?

To that same extent, covered entities should determine who is accessing the data, and how they might be doing so. For example, if a facility has a BYOD policy, and employees can access ePHI through their phone, mobile data encryption might be appropriate.

It remains to be seen if the government will make adjustments on its requirements for health data encryption. Until then, facilities need to be thorough in their risk assessments so they can properly determine if data encryption is a necessary measure and then how best to incorporate it into their security. If a covered entity decides that data encryption is not necessary, it is essential to document the reasons why and then provide an acceptable alternative. Data breaches are unlikely to stop happening, so it is important that healthcare organizations remain diligent in making the necessary adjustments to remain as secure as possible.