HIPAA Encryption – Required or Not?

HIPAA Encryption

Does HIPAA require encryption? Well … encryption is not yet required to be HIPAA-compliant, but it is recommended. You must ensure that your ePHI (electronic Protected Health Information) is protected from a breach.

HIPAA encryption requirements are currently labeled as “addressable,” meaning that they should be implemented, but there are caveats. If your business does not use encryption to protect your ePHI, you should use an alternative method to ensure the integrity, availability, and confidentiality of the data. The alternative must be equal to or greater than the level of protection you gain from encryption.

All of this must be documented, and if no safeguards are in place, the reason must be documented as well.


Technology and HIPAA encryption requirements

The HIPAA encryption rule and protection of data are purposefully open, leaving room for advances in technology. They allow covered entities to use the technology that they deem appropriate for data protection. HIPAA recognizes that technology is always advancing, and wanted to leave the rule open to cover more entities.

HIPAA purposefully did not select a specific technology to use since it is always evolving. They didn’t want to require a certain technology and have it become outdated in just a few years.


What is encryption?

Encryption makes data secure by coding data where it can only be decoded with a key. Without that key, the data will not be readable or usable. Some software encrypts the data after a certain period of inactivity, which is a great way to protect your data at rest.

Types of encryptions:

  • Symmetric encryption (private-key cryptography)
    • Is better for closed systems with a smaller chance of a third-party breach.
    • Is faster than asymmetric encryption.
    • Needs to have its key secured.
  • Asymmetric encryption (public-key cryptography)
    • Makes use of two keys, one public and one private.
    • Uses one key for encryption and another key for decryption.
    • Needs the private key to be kept safe.

Technically, no HIPAA encryption is required. It is recommended that you encrypt your data in order to protect the integrity, confidentiality, and availability of the protected health information.


HIPAA data at rest “protection” requirements

Requirements for safeguarding the confidentiality, integrity, and availability of protected health information are in place, and you comply with them or face fines and/or penalties.

To determine how to protect your data, perform a HIPAA risk analysis on the modalities you use to transmit and store your protected health information. The requirements for protected data spread across every piece of technology used for transmitting or storing PHI data in any form.  After risk analysis is performed a decision must be made, written down, and implemented at your clinic.

HIPAA fines and penalties:

  • Tier 1
    • Fine of $100-50,000 per violation with a $25,000 per year maximum.
    • Applies to breaches of HIPAA that you are unaware of and would not have known about it using “reasonable due diligence.”
  • Tier 2
    • Fine of $1,000-50,000 per violation with a $100,000 per year maximum.
    • Applies to breaches to HIPAA that you are aware of or should have known about using “reasonable due diligence.”
  • Tier 3
    • Fine of $10,000-50,000 per violation with a $250,000 per year maximum.
    • Applies to HIPAA breaches that are acts of neglect and are corrected in 30 days of discovering the breach.
  • Tier 4
    • Fine of $50,000 per violation with a $1.5 million per year maximum.
    • Applies to HIPAA breaches that are acts of neglect when nothing has been done to correct it within 30 days of discovering the breach.

Note: HIPAA related encryption fines and penalties are being eased due to the current COVID-19 pandemic. Only some of the fines are being eased if they relate to the pandemic.


HIPAA encryption standards

Your protected data needs to be kept secure from breaches in confidentiality, integrity, and availability. The best way to do that right now is to encrypt your data. That may change in the next few years, as no one knows what best practices we will be using then.

You are not required to have HIPAA encryption for your ePHI, however it is highly recommended that you do so.

HIPAA regulations tried to keep its rules on encryption vague for that reason. It is important to protect your data with the most up-to-date technology. Your patients deserve their privacy, and you will face HIPAA fines and/or penalties for not ensuring that their protected health information is always kept secure.

Not only do you have to protect that data, but you must also have a written protection plan, and your healthcare provider must implement that plan. Without following these steps you will be the next to receive fines for not following the rules and regulations of HIPAA.

And please don’t forget that anyone who has access to protected health information at your clinic must receive training on HIPAA rules and regulations and how to uphold the security of your data.

When you need proven expertise and performance