Washington Stresses Encryption in HIPAA Security Rule
By Matt Wimberley
Santa Rosa Consulting
The Stage 2 Meaningful Use Proposed Rule indicates Washington’s continued emphasis on the importance of encrypting ePHI (electronic protected health information). This posting explains why your healthcare organization can utilize encryption both as a means to achieve HIPAA compliance and as a strategic financial initiative. The posting opens with a look at the structure of the HIPAA Security Rule (Security Rule) to provide necessary context for readers with limited knowledge of its structure.
The HIPAA Security Rule’s Top-Down Framework
At its broadest level, the Security Rule is organized into 5 safeguards – administrative, physical, technical, organizational, and policy/procedure/documentation. These safeguards represent alternative – and sometimes supplemental – methods organizations can use to protect ePHI. Each of these safeguards is detailed with standards that covered entities must implement to be HIPAA compliant. These standards often have guiding implementation specifications (specifications), which are labeled as “required” or “addressable.”
The labeling structure could easily lead one to conclude that addressable specifications are optional – this is incorrect! The Security Rule states that addressable specifications are required in any situation where their implementation would be “reasonable and appropriate.” If the situation is not reasonable, the reason must be documented and equivalent security measures must be implemented.
A statement by NIST illustrates that this analysis will likely result in a finding that all addressable specifications are required for many federal covered entities; this finding will also likely apply to non-federal agencies as well: “For all federal agencies . . . all of the HIPAA Security Rule’s addressable implementation specifications will most likely be reasonable and appropriate safeguards for implementation, given their sizes, missions, and resources.”[i]
Importance of Encryption
Encryption is one of the specifications the HIPAA Security Rule labels as addressable. Do not allow your organization to diminish encryption’s importance in your compliance framework. Continued regulatory acts have taken place in Washington since the Security Rule’s enactment that have greatly increased the strategic importance of encryption.
1. Encryption Prevents Application of the Breach Notification Rule
In the event of an ePHI breach, HITECH added to HIPAA’s requirement’s by mandating that the covered entity notify the affected individuals, HHS, and, in many cases, the media. Congress provided an important exception to this reporting requirement by defining a breach to not include ePHI protected “with the use of a technology or methodology specified by the Secretary” so long as it “renders protected health information unusable, unreadable, or indecipherable.” The Secretary specified encryption.[ii]