Master the complexities of cloud compliance with expert resources and relevant insights.

Does HIPAA Require Encryption?

Is Encryption Required by HIPAA?

HIPAA, formally known as the Health Insurance Portability and Accountability act, was signed into legislation back in the 90's. These regulations were enacted as a multi-tiered approach that set out to improve the health insurance system. HIPAA has specifications that ensure the confidentiality and privacy of protected health information. Many wonder if encryption is required by HIPAA but because these regulations are so convoluted, it’s hard to determine. The HIPAA Security Rule does not explicitly say that encryption of data at rest or in transit is required. Since this specification is classified as “addressable” the HHS believes that an entity must address encryption when seen as “reasonable and appropriate.” Let’s break down what that means:

  • The HHS is saying that you do not have to encrypt your data but you need to be prepared to state why you believe that in writing because if you are audited, your documentation will be reviewed by the OCR (Office for Civil Rights).

  • If an entity does a proper risk analysis, there are minimal scenarios in which encryption is not “reasonable and appropriate.”

  • Upon a breach of data happening, it is not very likely the victim(s) or the OCR will agree with any entity claiming that it not necessary. So although encryption may not be called out as a mandatory, the majority of healthcare professionals will tell that it is required.

Why does HIPAA matter? Well, all healthcare entities and organizations that use, store, maintain or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law. When completely adhered to, HIPAA regulations not only ensure privacy, reduce fraudulent activity and improve data systems but are estimated to save providers billions of dollars annually. By knowing of and preventing security risks that could result in major compliance costs, organizations are able to focus on growing their profits instead of fearing these potential audit fines.

HIPAA legislation is ever-evolving and although it may seem complicated and tedious, it is imperative that everyone is in compliance. HIPAA has many parts to it, including many rules like the HIPAA Privacy Rule and HIPAA Security Rule. Just as one must be aware of every minute part of these HIPAA directives, one must be prepared for change. With Healthcare Reform and other disruptive movements, the industry is in need of flexibility. Keep an open mind when tackling healthcare because nothing is set in stone, nor will it ever be.

Despite the complexity of our healthcare system, everyone can make an impact. By being an educated healthcare consumer, the industry is one step closer to moving from a volume-based care model to one that is purely value-based. It is time to understand healthcare, analyze behaviors and determine solutions. Why now? Because there's no better time than now.

For more information on HIPAA, check out the Datica Blog. Additional questions? Contact one of our experts today.

Need Compliance Help?

Talk to the experts.