By Iseman Cunningham Riester & Hyde LLP
One of the most commonly asked questions is whether the HIPAA Security Rules “require” encryption of electronic health information. The stock answer is no; a better answer may be “not exactly.”
The final Security Rule requires Covered Entities to “implement a mechanism to encrypt and decrypt electronic health information” stored (at rest) on the system. (A separate requirement, which will be discussed next week, relates to information “in transit.”) This encryption specification is an “addressable” component of the access control standard, and must be implemented *unless* doing so would be inappropriate or unreasonable and the effect of implementation cannot reasonably be achieved through an alternative measure.
Covered entities must understand encryption before deciding not to employ it. An appropriate determination of whether to use encryption must consider the “likely contribution” of encryption to protecting electronic health information. It is impossible to assess the likely contribution without understanding the technology itself. For a decent primer on encryption, see http://download.pgp.com/pdfs/whitepapers/PGP-Ex_Brief_Encryption_Primer_041130_F.pdf.
Covered entities should also consider that encryption, in addition to being a formidable access control, can operate as an effective method for authentication and integrity verification as well. This could be a benefit to smaller organizations looking to cover a few bases with just one solution.
(Please note – PGP is an encryption vendor. The white paper link is provided for educational purposes only. We have no affiliation with PGP and are not recommending or endorsing their products by including this link. Viewers will need Acrobat Reader to view the white paper.)
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.