Encryption is the Key to HIPAA’s Security Rule Heart

So you’ve heard the presentations, classes and consultants tell you that you should encrypt everything.  Encryption is also a security rule standard that is listed as addressable, not required.  Let’s talk about what all that means.


You must address encryption as part of your HIPAA security plan and documentation.  You don’t have to have encryption up and running everywhere but you need to provide documentation WHY you don’t use it to protect ePHI and what alternatives you use to protect the data when not encrypted.  Addressable doesn’t mean you ignore it, it means you research it and figure out the best solution that works for you.  Work with your application vendors and IT company to make sure all your data and devices are addressed, updated and/or documented.

Encryption is like a safe deposit box for your data.   If you don’t have matching keys you can’t use the data inside.  Private key encryption means you create and control the keys yourself.  You may use that type of encryption which means you need to keep up with your copy of the key the same way you would a safe deposit box key.  You will need to know if your encryption method requires key management and document that for HIPAA requirements.

Under the security rule there are two types of data encryption covered: data at rest and data in transit.  The two types have different concerns so make sure you account for both of them in your documentation.

Data in transit refers to actual transmissions of data between computers.  When you transmit data to a clearinghouse or payer site to file claims that is data in transit.  You should make sure any time you are sending ePHI between computers that the connection is encrypted.  It can be encrypted with special client software or simply an SSL connection to a website or even more advanced solutions.  Make sure you consider all your different transmissions of data and account for how the transmissions are encrypted.

Data at rest is where the most work needs to be done, usually.  This type of encryption means encrypting the data on the devices themselves.  The most likely place to start accounting for your data at rest encryption is on any mobile device that could contain PHI.  Mobile devices include laptops, tablets and smartphones.  Any mobile device that has access to PHI should have some level of encryption on it.  You can encrypt the whole disk, a folder or a file but encryption should be happening at some level on every device.

A laptop is the device most likely to be involved in a breach of over 500 patients based on the HHS breach tool.  Make sure you have them encrypted before you allow anyone to store PHI on one.  Smartphones with patient names and phone numbers on them don’t get a pass either.  Smartphones especially need review to determine if the device has patient related data or access configured on it to be encrypted.  What about your clinical devices that capture patient information?  Are they encrypted before they move from site to site?

Encryption used in your practice management and clinical applications should also be included in your HIPAA documentation.  You should be able to get those details from your vendors.  Also, do you encrypt the server disks or other desktops that have spreadsheets and documents with patient data on them?  Your software vendors don’t likely control those folders and machines like they do their own databases.  You should address those yourself by either encrypting those disks, folders and files or having a plan to protect the data another way.

Finally and most importantly, remember, after you encrypt things you need to save the encryption keys if the method required private keys.  If you store the keys on the same computer as the encrypted data you really shouldn’t bother with the encryption at all since it is all you need to decrypt the data.  You need a documented plan for storing and controlling access to private encryption keys.  Don’t assume your IT company has them and never ask for them until you need them.  That will be too late for someone to start looking for the keys and your data may be lost.  Use some sort of application or manual system to account for all your private encryption keys.  No matter who is taking care of the encryption process you should have a copy of every private encryption key in your records.  Ultimately, you are responsible for your data’s availability and security and keeping up with those keys is part of that responsibility.

Filed under: HIPAA Tagged: Breach Notification, Business Associate, Documentation, Encryption, HIPAA, Security Rule, Small Provider