The HIPAA Security Rule include two separate implementation specifications involving encryption.
The first is contained at 45 CFR 164.312(a)(2)(iv): “Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.” From context (this requirement is in the “access controls” section), this first encryption requirement involves “data at rest,” for example, hard drives of laptop computers, data on smartphones and databases that store electronic PHI.
The second requirement is located at 45 CFR 164.312(e)(2)(ii): “Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” This second requirement is part of the transmission security section that requires protection of ePHI that is being transmitted over an electronic communications network. So, this second requirement involves “data in motion”, for example, including sensitive data transmitted across the Internet.
First note that both of these requirements are annotated “addressable”. Addressable requirements are part of the security rule design to make the standards flexible so that a single set of rules can apply to vastly different organizations – from a part-time therapist working 10 hours/week out of her home to a 50,000 employee integrated delivery network spanning 10 states. According to the General Rules for the HIPAA Security standard at 45 CFR 164.306(d)(3), the term “addressable” means that the covered entity or business associate MUST:
- Assess whether this is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
- Implement the requirement if reasonable and appropriate. Or if it is not reasonable and appropriate, then document why it is not AND implement an equivalent alternative measure if reasonable and appropriate.
So – is data encryption “reasonable and appropriate”? The chief enforcer of the HIPAA regulations, the HHS Office of Civil Rights, thinks so, especially for mobile devices. They have recited the importance of encryption like a mantra for the last 5 years. A second HHS organization, CMS, in its Meaningful Use program, also thinks so. They modified the Privacy and Security Objective for Stage 2 Meaningful Use to explicitly require that encryption be considered.
Encryption is no longer esoteric or expensive. For example, these security measures are built into Microsoft Windows with the Bitlocker capability and built into Apple’s OSX as the FileVault. That said, there are some implementation complexities which are discussed in Eagle’s blog posts “Encrypting Mobile Devices – First Create a Plan” and “Encryption with BitLocker – Protecting Against Attacks”.
But there is more. One must get into the technical details to determine whether one or both of the encryption requirements is applicable. This is most appropriately done in the HIPAA Security Risk Analysis. Part of this process would be to conduct an inventory of PHI and analyze data flows to determine where it is stored and when it is transmitted. Any device where it is stored and any data flow are candidates for encryption.
Suppose that after this analysis a device such as a laptop is found to never store PHI on its hard drive. A reasonable risk assessment could conclude that it is unnecessary to encrypt this hard drive. Suppose that this laptop was sometimes used at home by a physician to access the office’s electronic record system. It would be important to encrypt the data while it was being transmitted across the Internet, in other words, to encrypt the “data in motion”.
In another example, suppose that a laptop computer is used to connect to the electronic record system, and that the electronic record system uses Microsoft Word on the laptop to format letters and other instructions to patients. And suppose that this patient information was stored on the laptop hard drive. In this example, it would be important to encrypt the hard drive of the computer, which is “data at rest.”
Note that when choosing not to use encryption, the organization MUST document why it is not reasonable and appropriate.
When conducting a risk analysis, Eagle Consulting Partners generally recommends that all laptops and other mobile devices be encrypted, even if they are not used to store ePHI. We recommend this because it is often less expensive to simply encrypt all laptops and phones (which have a high probability of being lost or stolen) than to figure out whether they store PHI, and to monitor on an ongoing basis whether this ever changes. And, for any transmission over the Internet we recommend encryption using TLS (which supersedes SSL) or a VPN. Please watch for future blog posts for implementation recommendations.
