Sergey Nivens - Fotolia
I know HIPAA doesn't require data encryption, but with all of the data breaches involving stolen or lost devices with unencrypted data on it, should I require it as a company policy?
In short, yes. Absolutely. You are correct in stating that the Health Insurance Portability and Accountability Act (HIPAA) does not expressly mandate the use of encryption to protect sensitive information, but it is good security sense to do so. Encryption renders the contents of a device or file unreadable to anyone lacking access to the corresponding decryption key. If a device containing sensitive data is lost or stolen, encryption can save you from an embarrassing security incident.
While HIPAA does not require the use of encryption, it does provide a safe harbor for those who adopt it. The breach notification rule requires covered entities to notify affected individuals of a breach in a timely manner. However, this requirement is only triggered if the breach involves "unsecured protected health information." The Department of Health and Human Services defines this as "protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of [encryption or destruction]."
Is encryption required? No. Is it an effective practice to protect health records and other sensitive information? Yes. The law does not require the use of encryption, but it acknowledges the value of encryption in minimizing the impact of security breaches. Organizations should deploy a combination of file and disk encryption technology to protect electronic protected health information. Disk encryption provides blanket protection for devices in the event they are lost or stolen. File encryption protects the contents of documents even if they are transferred via e-mail or file sharing.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Is proof of PHI encryption required by HIPAA? Mike Chapple has the answer.
Dig Deeper on Disk and file encryption tools
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading