March 25, 2016

Posted in:


Does HIPAA Require Encryption?

HIPAA Encryption

At Edge, we field a lot of tough questions about security and compliance. One question we’ve been hearing a lot from customers lately is this: is HIPAA encryption required?

In the simplest terms, yes, encryption is an addressable item under HIPAA. However, when you consider other details, the answer becomes more complex.

Data Primer

Before you can ask if or how to encrypt, you need to understand what types of sensitive data may require encryption.

In most “compliance” scenarios (PCI-DSS, HIPAA, FISMA, etc.), two categories of data exist: personally identifiable information (PII), which is data that can identify its association with a single individual, and information that is not personally identifiable. Examples of PII include your name or email address in a medical record. Examples of data that are not PII are your address or phone number in public record or a medical record that does not have any individually identifiable traits.

In HIPAA, PII is called Protected Health Information (PHI) or, in its electronic form, ePHI. HIPAA has 18 categories of data that are considered to be PHI/ePHI; that information can be viewed here.

Exactly What is Encryption?

The most common method of protecting this kind of sensitive data is through encryption. Encryption serves two functions: it ensures the confidentiality of data and, in some cases, can provide for integrity of the data. It is a mathematical computation process that takes plain (readable) text and transforms that into secret or cipher text. Encryption requires a key to encrypt and decrypt the data.

However, because encryption is a mathematical computation, each time that a piece of data is encrypted or decrypted, the process runs through your CPU and stresses that portion of your system. This can have a significant impact upon performance if not done correctly.

Required vs. Addressable

Before diving into what HIPAA says about encryption, we must first understand two terms used for rules within HIPAA. They are “required” and “addressable.” The difference between addressable and required in HIPAA is that, if required, the letter of the law must be met. If addressable, there is some interpretation in how it is accomplished. To put it simply: if required, do it exactly as the law says; if addressable, at least meet best practices.

How Does HIPPA Define Encryption?

The specific language is in Item ¬ß 164.312(2)(iv) Technical safeguards, “A covered entity or business associate must, in accordance with ¬ß 164.306:…” (iv) “Implement a mechanism to encrypt and decrypt electronic protected health information.”

Meaning: encryption in HIPAA is an addressable requirement.

The key phrase to look at is “…electronic protected health information.” Encryption needs to be applied to the ePHI, the 18 categories of data; it does not need to be blanket applied to a server or scenario. If you are using “research” provisions, that allows some of these rules to bend slightly. If you are using ePHI for research, check with your institutional security or legal teams for further guidance.

Options for Encryption

Though HIPAA says that you need to have encryption on ePHI, where and when that security is employed often leads to confusion. First, keep in mind whether or not the information is ePHI. If it is, then encryption needs to be applied whether it is in transit/motion or sitting on the server.

Once you have the data classification and need to encrypt clearly determined, picking the right solution is similar to selecting a tool for any other security function.

If the data is in motion, it is best to use an end-to-end encryption capability like SSL/TLS certificates. These certificates should not be internally generated or self-signed. They can be purchased online from a hosting provider or a number of different Certificate Authorities (CAs). Each CA has a series of instructions on how to provide the needed information to create the certification and apply it properly. Virtual Private Networks can also be useful for data in motion encryption, but they are rarely end-to-end.

Next, we need to encrypt the data by either Full Disk Encryption (FDE) or folder/file level encryption. FDE is likely not necessary and will place additional pain upon the CPU; many places on a disk do not contain ePHI and therefore do not need to be encrypted. FDE is most useful when physically transporting a disk, such as through a courier. This will ensure that if the disk is lost, nothing on the disk is readable.

Folder level encryption is the best method for encrypting collections of individual files, like a PDF, Word document or Excel spreadsheet. The advantage of encrypting a folder is automation—any file placed within the folder would be encrypted. If you opt for individual file level encryption, you would have to individually encrypt the file(s). It’s important to keep in mind that when a manual process is involved, the possibility of error grows.

Lastly, database encryption (by the whole database or row/column) should be considered. Encrypting the whole database, like in FDE, may encrypt data that does not need to be encrypted. That being said, most companies opt for row/column based encryption within a database. Row/column based encryption secures the data within specific rows or columns. Also, as noted before, encryption is taxing on the CPU, so only encrypting what is necessary will ensure that the CPU remains efficient.

Conclusion

Encryption is a valuable tool used to ensure the confidentiality and integrity of sensitive data. In regard to the initial question posed, HIPAA requires that we address the issue and apply encryption commensurate with industry best practices.

If you have any further questions, feel free to get in touch; we’re here 24/7/365 for you.

Go back