Technical Safeguards: Encryption

HIPAA Compliance and Encryption

After assisting thousands of users become and stay HIPAA compliant over the span of 10 years the technical safeguard I appreciate most is still encryption. There are many technical safeguards to employ when protecting ePHI (Electronic Protected Health Information). However, the thing that will save you in the event of a data breach is encryption. Always has been. 

What is Encryption?

Encryption is the act of scrambling readable text into non-readable text. ‘Plaintext’ being the readable text is converted into ‘ciphertext’. Ciphertext is the result of a mathematical algorithm and a secret key generating jargon. This protects data in a tried and true manner. It is particularly useful for safeguarding protected health information (PHI). This is why healthcare businesses should always encrypt data in both of its types.   

Two Types of Encryption

There are two different and equally important ways to encrypt data. It can be done ‘at rest,’ or while the data is ‘in transit’.

Encryption At Rest

This type of safeguard refers to implementing encryption on the local device. In other words, this laptop I am typing this on is my local device. Since this is a Mac laptop, I can enable encryption on this local device by enabling a software called “FileVault”. If this were a Windows laptop encrypting it is similarly easy. The program for Windows is called “BitLocker”. Both applications come included in the operating system of any recently purchased laptop or desktop device.  

Encryption of Data In Motion

This type of safeguard refers to the transmission of data and encrypting it while it travels to its destination. If I send an email it has to go from me to somewhere else, right? What happens in between matters. This is what is meant by data that is ‘in motion’. 

Encryption and Mobile Device Management

In order to use a mobile device in a manner that is HIPAA compliant you need to enable a couple of things: 

  • Encryption must be enabled at the device level (via Settings)

  • Encryption in transit where applicable 

  • Remote Wipe enabled 

I’m hard-pressed to think of a device nowadays that does not come out of the factory with encryption enabled, but it never hurts to check your device settings to make sure. 

Remote Wipe refers to the ability to wipe a device from a distance in case a device gets lost. 

Your Biggest Risk?

In my professional opinion, your biggest HIPAA/healthcare compliance risk is unencrypted PHI being intercepted by a malicious actor via email. Someone working as a ‘hacker’ could intercept that email and sell the PHI inside on the Dark Web. However, if all the text is scrambled, the efforts that person went to in order to obtain it was a waste. This is why email encryption is the most important thing to ensure you implement to avoid compliance issues in your healthcare organization. 

Why Encryption Matters After a Breach

Here is something most people do not realize. Under the Breach Notification Rule, if your organization experiences a data breach but the affected data was properly encrypted, you may not be required to report it. HHS refers to this as a “safe harbor.” Encrypted data that is breached is generally not considered a reportable breach because the information is unusable without the decryption key. That single safeguard can be the difference between a quiet internal review and a public notification to every affected patient, the media, and the Office for Civil Rights.

In Summary

Interestingly enough, this proven system of encryption is not YET a mandate under HIPAA law. There is a NPRM (Notice of Proposed Rulemaking) that the government is yet to implement which changes things with regard to encryption. 

When implemented, this change to the security rule will, “Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.” Up until this point encryption was considered ‘addressable’. Addressable, in this sense, means, ‘if you have the means, implement this’. This NPRM does away with this concept. Anything which was previously addressable is now required.

So it is probably best to get started on this project sooner than later. The latest update from the government promises implementation of the NPRM by mid-2027. 

Do you have questions about HIPAA compliance for your organization? Contact Chuck Weiselberg with One Guy Consulting to see how I make HIPAA compliance approachable.

Leave a Comment

Your email address will not be published. Required fields are marked *