Sergey Nivens - Fotolia

Manage Learn to apply best practices and optimize your operations.

Should enterprises require an encryption policy for health information?

Companies that comply with HIPAA aren't required to have an encryption policy, but expert Mike Chapple recommends having one anyway.

I know HIPAA doesn't require data encryption, but with all of the data breaches involving stolen or lost devices with unencrypted data on it, should I require it as a company policy?

In short, yes. Absolutely. You are correct in stating that the Health Insurance Portability and Accountability Act (HIPAA) does not expressly mandate the use of encryption to protect sensitive information, but it is good security sense to do so. Encryption renders the contents of a device or file unreadable to anyone lacking access to the corresponding decryption key. If a device containing sensitive data is lost or stolen, encryption can save you from an embarrassing security incident.

While HIPAA does not require the use of encryption, it does provide a safe harbor for those who adopt it. The breach notification rule requires covered entities to notify affected individuals of a breach in a timely manner. However, this requirement is only triggered if the breach involves "unsecured protected health information." The Department of Health and Human Services defines this as "protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of [encryption or destruction]."

Is encryption required? No. Is it an effective practice to protect health records and other sensitive information? Yes. The law does not require the use of encryption, but it acknowledges the value of encryption in minimizing the impact of security breaches. Organizations should deploy a combination of file and disk encryption technology to protect electronic protected health information. Disk encryption provides blanket protection for devices in the event they are lost or stolen. File encryption protects the contents of documents even if they are transferred via e-mail or file sharing.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Is proof of PHI encryption required by HIPAA? Mike Chapple has the answer.

This was last published in March 2015

Dig Deeper on Disk and file encryption tools

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

You can go beyond encrypting files for emailing and sharing files.  Active directory can prevent a file from being emailed or shared outside a group.