Ok… technically that’s not 100% true. The HIPAA Security Rule doesn’t explicitly require encryption of data at rest, or even during transmission. However, this doesn’t mean what people think it means and that misunderstanding is getting a lot of folks into trouble (literally).
The HIPAA Security Rule is a 3-tier framework broken down into Safeguards, Standards and Implementation Specifications. Within the Technical Safeguards, both the Access Control Standard (i.e. data at rest) and Transmission Security Standard (i.e. data in motion) have an Implementation Specification for Encryption. Neither of them are “Required,” but are both listed as “Addressable.” So we’re done, right? Not so fast…. From the HHS FAQ:
“In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:
- Implement the addressable implementation specifications;
- Implement one or more alternative security measures to accomplish the same purpose;
- Not implement either an addressable implementation specification or an alternative“
So… it’s not required. But HHS goes on:
“The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
The key phrase here is “reasonable and appropriate.” As in, encryption IS required if it’s reasonable and appropriate to encrypt. This is really important and we’ll come back to it later. HHS continues:
“This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.”
Basically what they’re saying is that you don’t “have to” encrypt, but if you choose not to you’d better be prepared to demonstrate, in writing, why you believe that. Then, in the event of an audit, The Office for Civil Rights (OCR) will review your documentation and determine whether or not they agree with you.
Mobile Devices
If you check out the HHS Wall of Shame where breaches involving 500 or more patients are posted, you’ll notice a very large number of lost or stolen laptops that were not encrypted. In a comment about the settlement with Hospice of North Idaho that involved a stolen laptop, OCR Director Leon Rodriguez said: “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” And it really can be easy. You can purchase inexpensive encrypted hard drives for all new laptops and install 3rd party tools on old ones (see Five Best File Encryption Tools from Gizmodo). If you have mobile devices that may contain PHI and are not encrypted, stop reading and go encrypt them right now. Seriously.
The Data Center
Many people have bought into the idea of encrypting mobile devices, but not their servers. To an extent this makes sense given that most breaches have resulted from lost or stolen devices and not so much from hacking. However, Leon Rodriguez noted in a presentation at HIMSS13 that he anticipates hacking to be a threat that will likely grow as time goes on, and the best protection in that scenario is data encryption. This is a more complicated issue for sure, but there are lots of tools and techniques that make this very doable. I plan to elaborate on those options in an upcoming post.
Data in Motion
I’m not going to get into much detail on this one. Use SSL, VPN, or some other method of encryption when transmitting your data over public lines. Period. If you have a scenario where it is “reasonable and appropriate” to send someone’s health information in plain text over the public internet, I’d love to hear about it.
Conclusion
You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so. I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re breached, you have to convince Leon Rodriguez and the OCR, who think encryption is both necessary and easy, that you’re correct. Is that an argument you want to be making in the face of hefty fines? Not me… and that’s why I have convinced myself that encryption is required by HIPAA.