What is HIPAA's encryption and decryption standard?

HIPAA requires covered entities and business associates to implement appropriate safeguards to protect electronic protected health information (PHI). While there are no specific encryption or decryption standards, there are still best practices. 

HIPAA’s approach to encryption

Encryption is an "addressable" requirement, meaning organizations must assess their needs based on potential risks. The HHS clarifies that "An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so."

Commonly used standards include Advanced Encryption Standard (AES) for data at rest, such as in hard drives, and Transport Layer Security (TLS) for data in transit, such as in email. The key is selecting methods that effectively safeguard ePHI according to the specific needs and risk factors of the organization.

Unlike other regulations that might prescribe specific technologies, HIPAA doesn’t mandate a single encryption standard. Instead, it provides flexibility, requiring covered entities and business associates to implement “appropriate” safeguards to protect ePHI.

Considerations for implementing encryption

• Risk assessment: The first step in determining the need for encryption is evaluating the sensitivity of the data and the potential risks it faces, such as unauthorized access or cyberattacks. The outcome of this assessment should guide the choice of encryption methods.
• Data at rest vs. data in transit: Data at rest refers to ePHI stored on devices or servers, while data in transit is information moving through networks. Encryption practices should be tailored to each type of data. For example, AES is ideal for data at rest, while TLS should be used to protect data in transit.
• Key management: Encryption is only as secure as the keys used to encrypt and decrypt the data. Proper key management practices include secure key storage, regular key rotation, and strict access controls to ensure that only authorized individuals can access decryption keys. Failure to manage keys properly can render encryption ineffective, putting ePHI at risk.

Related: What happens to your data when it is encrypted?

FAQs

What happens if a healthcare organization doesn’t encrypt ePHI?

If a breach occurs and ePHI is not encrypted, the organization may face significant penalties, as encryption could have prevented unauthorized access to the data.

How does HIPAA view encryption for mobile devices?

HIPAA recommends strong encryption for mobile devices storing ePHI to protect data in the event of the device being lost or stolen.

Are cloud-based services required to use encryption under HIPAA?

Yes, cloud service providers handling ePHI must implement encryption for both data at rest and in transit, and they must sign a BAA to ensure HIPAA compliance.