HIPAA Security’s 42 requirements, many of which are merely one sentence in length, understandably result in many questions for organizations seeking to comply. To resolve some of this ambiguity, the HHS Office of Civil Rights, in April 2009, issued guidance to clarify the terse regulations referenced above. This 20 page guidance document, which describes detailed procedures and technology, does not constitute a requirement. Rather, organizations who follow these guidelines have a “safe harbor” in that they will not cause a data breach if they follow this guidance. In other words, if you follow this guidance you will be in compliance. There may be other ways to comply, but in the event of any enforcement action you would be responsible for defending your approach.
OCR leans on NIST, the National Institute for Standards and Technology, for this guidance. To protect “data in motion”, “valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPSec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.”
The latter two specifications describe two approaches to VPNs, or Virtual Private Networks. The common scenarios for using VPNs include connecting to the business network from home or connecting a remote office to the main corporate network. The two NIST documents specify details regarding configuration.
The other specification, Guidelines for Selection and Use of Transport Layer Security (TLS) Implementations, deals with other scenarios such as connecting to a remote web application, providing a web application on your server for others to access across the internet, or securing applications such as Microsoft Exchange Server. The NIST document provides extensive detail regarding configuration requirements for a secure implementation.
