HIPAA encryption requirements: How to avoid a breach disclosure

Following the recent Tricare breach, our CIO would like us to provide validation that we’ve sufficiently encrypted our company’s customer data. In the event of a breach, we want to avoid making a disclosure in accordance with HIPAA’s breach notification mandate that is necessary when data isn’t sufficiently encrypted. However, it seems like there is some gray area regarding what’s considered sufficient encryption. Can you boil down exactly what HIPAA demands with respect to data encryption, so an enterprise may avoid a breach disclosure?

    Requires Free Membership to View

The National Institute for Standards and Technology (NIST) has published an excellent reference on HIPAA security that touches on the issue of HIPAA encryption requirements.

However, this document is three years old and rather long (117 pages). First, let's talk about two important points to cover: what information needs to be encrypted, known as ePHI, and what is considered sufficient encryption.  According to the Department of Health and Human Services, ePHI is any protected health information (PHI) subject to the federal HIPAA regulation. It refers to any information that identifies an individual, usually a patient, and relates to at least one of the following:

  • The individual's past, present or future physical or mental health;
  • The provision of health care to the individual;
  • Past, present, or future payment for health care.

That explanation is measurably straightforward, although much of this information is constantly being stored, processed or transmitted within a myriad of IT systems throughout many organizations. Therefore, the challenge is identifying all these systems.

Encryption, on the other hand, is rather straightforward, as it’s simply the process of transferring data into an unreadable format by the use of algorithms. Advanced Encryption Standard (AES) is a specification for the encryption of electronic data that is now widely used, so enterprise security pros will find this readily available in many tools or utilities offering encryption.  It’s now clear what to encrypt and how to encrypt, but where to encrypt is the issue, as IT systems holding ePHI seem to be everywhere. Using the following encryption measures should prove sufficient to meet HIPAA encryption requirements.

  • Encrypt all websites with SSL certificates, resulting in the use of the HTTPS within the URL of a given site.  In short, any website owned or operated by your entity for which ePHI is associated with needs to be encrypted.
  • Encrypt all databases that have ePHI data "at rest." Data at rest is data stored in a repository, usually in files within a given database. Thus, using column or file-level protection for ePHI data would suffice for HIPAA requirements.
  • Encrypt all emails that contain ePHI and always secure connections, such as VPN IPSec tunneling when connecting over untrusted networks for accessing ePHI.

Furthermore, the meaning of encryption is rather straightforward, along with what to encrypt. Your challenge is finding and identifying all systems that potentially store or transmit ePHI. 

This was first published in December 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: