HIPAA - Encryption 164.312(e)(2)(ii)

Overview:
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Action Items:
1) Obtain and review policies and procedures regarding the encryption of electronically transmitted EPHI. Evaluate the content relative to the specified criteria to determine that the implementation and use of encryption appropriately secures electronically transmitted EPHI. Elements to review may include but are not limited to: Type(s) and documentation of encryption technology used to secure electronically transmitted ePHI; How the confidential processes or keys used for encryption are managed and protected; How access to modify or create keys is restricted to appropriate personnel; Identify when it is appropriate to encrypt ePHI
2) Obtain and review documentation demonstrating the encrypted mechanism is implemented to encrypt EPHI. Evaluate and determine whether encrypted mechanism has the capability to encrypt EPHI when it is deemed as appropriate.
3) Obtain and review documentation demonstrating that electronically transmitted EPHI is encrypted. Evaluate and determine if EPHI encrypted is appropriate and in accordance with related policies and procedures.

Related Documents:
1) Policies and procedures regarding the encryption of electronically transmitted ePHI.
2) Documentation demonstrating the encrypted mechanism is implemented to encrypt ePHI.
3) Documentation demonstrating that electronically transmitted ePHI is encrypted.

Additional Guidance:
As previously described in the Access Control standard, encryption is a method of converting an original message of regular text into encoded or unreadable text that is eventually decrypted into plain comprehensible text. The Encryption implementation specification is addressable, similar to the addressable implementation specification at § 164.312(a)(2)(iv), which addresses Encryption and Decryption.

There are various types of encryption technology available to covered entities. For an encryption strategy to be successful, an organization must consider many factors. For example, for encryption technologies to work properly when data is being transmitted, both the sender and receiver must be using the same or compatible technology.

Covered entities use open networks such as the Internet and e-mail systems differently. Currently no single interoperable encryption solution for communicating over open networks exists. Adopting a single industry-wide encryption standard in the Security Rule would likely have placed too high a financial and technical burden on many covered entities. The Security Rule allows covered entities the flexibility to determine when, with whom, and what method of encryption to use.

A covered entity should discuss reasonable and appropriate security measures for the encryption of EPHI during transmission over electronic communications networks with its IT professionals, vendors, business associates, and trading partners.

Covered entities must consider the use of encryption for transmitting EPHI, particularly over the Internet. As business practices and technology change, situations may arise where EPHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.

Sample questions for covered entities to consider:
- How does the organization transmit EPHI?
- How often does the organization transmit EPHI?
- Based on the risk analysis, is encryption needed to protect EPHI during transmission?
- What methods of encryption will be used to protect the transmission of EPHI?