The Health Insurance Portability and Accountability Act (HIPAA) mandates that both Covered Entities and Business Associates protect the security of Protected Health Information (PHI) in a variety of ways. Specifically, HIPAA’s Security Rule sets forth various technical, administrative, and physical safeguards that must be enacted in order to ensure the confidentiality, integrity, and availability of electronic PHI, and to mitigate the risk of improper access to such electronic PHI. While implementing or updating these safeguards, many Covered Entities and Business Associates ask: does HIPAA mandate the encryption of electronic PHI?
The Security Rule divides certain HIPAA security requirements into two groups: those that are “required” and those that are “addressable.” In this context, addressable does not mean optional. Rather, it means that entities may opt to adopt an alternative equivalent security measure, instead of the addressable specification, if it is determined that the addressable safeguard would not be reasonable or appropriate for the specific entity. Encryption of both data at rest and data in transmission constitutes an addressable specification, meaning that entities do not have to encrypt PHI in order to be HIPAA compliant. Covered Entities and Business Associates must consider encryption, and many should encrypt PHI in order to achieve HIPAA compliance. However, if an entity determines that encryption is not appropriate for its business, that entity may document its rationale and adopt alternative measures to achieve security of PHI both at rest and in motion, and still be in line with HIPAA. The U.S. Department of Health and Human Services (HHS) has recognized that encryption may impose substantial financial and technical burdens, particularly for small, rural entities. Thus, such entities might plausibly determine that encryption is not appropriate for their business and enact alternative security mechanisms that are sufficient.
Although encryption is not strictly required by HIPAA, it is an advisable safeguard to implement when feasible because it is an especially effective way to protect against improper access of PHI. Impermissible uses or disclosures of PHI are only at risk of constituting a reportable security breach under HIPAA if the PHI at issue is unsecured, or unencrypted. Thus, HHS has strongly encouraged encryption as the “best defense” against reportable security breaches.
Additionally, it is important for entities to keep in mind that HIPAA is not the only law governing encryption of information. Many states have enacted laws and regulations that aim to protect sensitive personal information, and some, such as Massachusetts, require the encryption of certain personal data. While each state governs a slightly different subset of personal information, many strive to protect Social Security numbers, driver’s license numbers, and financial information. Thus, when deciding whether or not to encrypt information, entities should consider general business interests as well as HIPAA and state law.