HIPAA - Encryption and Decryption 164.312(a)(2)(iv)

Overview:
Implement a mechanism to encrypt and decrypt electronic protected health information.

Action Items:
1) Obtain and review the policies and procedures regarding the encryption and decryption of EPHI. Evaluate the content relative to the specified criteria to determine that the implementation and use of encryption appropriately protects EPHI. Type(s) and documentation of encryption technology used for devices and media that contain or have access to ePHI; How the confidential processes or keys used for encryption and decryption are managed and protected; How access to modify or create keys is restricted to appropriate personnel
2) Obtain and review documentation demonstrating EPHI being encrypted and decrypted. Evaluate and determine if EPHI is encrypted and decrypted in accordance with related policies and procedures.

Related Documents:
1) Policies and procedures regarding the encryption and decryption of ePHI.
2) Documentation demonstrating ePHI being encrypted and decrypted.

Additional Guidance:
Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (i.e., type of procedure or formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (i.e., translate) the text and convert it into plain, comprehensible text. There are many different encryption methods and technologies to protect data from being accessed and viewed by unauthorized users.

Sample questions for covered entities to consider:
- Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
- What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?