Grafvision - Fotolia

Get started Bring yourself up to speed with our introductory content.

HIPAA encryption requirements: Is proof of PHI encryption needed?

HIPAA encryption requirements don't specifically include retaining proof of encryption for devices containing PHI, but expert Mike Chapple says it's still a good practice.

My organization utilizes encryption for PHI to satisfy HIPAA encryption requirements, but I've read that we also need to provide some sort of proof that devices were encrypted when they are lost or stolen. If that is the case, how exactly do we go about providing proof? Are there any other reporting requirements in this vein we may be missing?

This information probably comes from marketing materials provided by a vendor offering encryption solutions that provide this sort of proof. The HIPAA Omnibus rule does not contain any language that specifically requires covered entities to prove that lost or stolen devices were encrypted. This might be a very liberal interpretation of the rule, but it is not an explicit requirement.

However, I would still recommend encrypting portable devices and retaining evidence. Encrypting devices that contain PHI provides a way to neatly sidestep HIPAA's breach notification requirements if the device is lost or stolen. Quite simply, the loss of a device containing properly encrypted data does not constitute a breach. Of course, that begs the question, what is proper encryption? You should be using a widely accepted algorithm, such as AES, and safeguarding the key so that it is protected from disclosure.

Why retain evidence even if there is not an explicit requirement to do so? Maintaining records that demonstrate the devices were encrypted can unequivocally settle the question in the event of a breach, protecting the organization against lawsuits or regulatory action. The easy way to do this is to implement encryption through a centralized system that allows you to track compliance throughout the enterprise. This may be a standalone encryption product or it may be a capability of the existing system configuration management tool.

Either way, if the systems are well-managed, it should not be a difficult task to maintain those records and get a "get out of jail free" card that you can redeem in the event of a lost or stolen device.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Learn more about the HIPAA Omnibus rule from Mike Chapple

Tips to avoid the annual compliance scramble

This was last published in August 2014

Dig Deeper on HIPAA

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.