Why does HIPAA require encryption?
HIPAA requires encryption for various reasons. At its core, it’s required as a means to ensure the confidentiality and security of PHI – Protected Health Information, which includes any individually identifiable health information that is created, received, maintained or transmitted by healthcare providers, health plans, healthcare givers, or any of their business associates.
Simply put, encryption converts sensitive data into a format that can only be read with the associated decryption key. This way, even if malicious actors get their hands on sensitive PHI information, the data will be useless, unless they have a key to decrypt it.
Encryption also proves useful as a preventive measure, e.g. when it comes to data breach mitigation – if encrypted PHI is stolen, the risk to harm individuals is drastically reduced, since hackers will also need to obtain the decryption key.
Implementing encryption is a proactive way to reduce the risk associated with unauthorized data access, and is considered a compliance requirement by HIPAA.
Overall, failing to implement robust measures when it comes to cybersecurity for healthcare can result in financial penalties and reputational damage if a breach or unauthorized access occurs.
Who must comply with the HIPAA Security Rule?
According to the U.S. Department of Health and Human Services – “The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities") and to their business associates.”
Covered entities include –
- Healthcare Providers – doctors, nurses, clinics, hospitals, nursing homes, and other healthcare practitioners or facilities, that transmit or store PHI digitally
- Healthcare Plans – Health insurance companies, Health Maintenance Organizations, Medicare, Medicaid, and other insurance programs that transmit or store PHI electronically
- Healthcare Clearinghouses – public or private entities, including billing services, repricing companies, community health management information systems, or community health information systems
Examples of business associates include –
- Third-party administrators
- Billing companies
- Cloud storage providers
- Medical transcription services
- Health information technology vendors
Business Associate’s responsibilities and obligations are outlined in an agreement, known as BAA – Business Associate Agreement – that is signed between the covered entity and the business associate entity.
What do the HIPAA encryption requirements protect?
HIPAA encryption requirements protect electronic PHI (ePHI) from being disclosed in case this data ever gets accessed by an unauthorized party.
However, encryption is just one part of a robust cybersecurity strategy, that healthcare organizations must consider, in order to protect ePHI. Malicious actors are very creative and won’t give up easily. Unauthorized parties could trick whoever sits on the healthcare organization’s side into thinking, they are authorized and can be trusted. And this is where encryption solely would fail to protect sensitive information.
What are the HIPAA Encryption Requirements?
The HIPAA Security Rule does not provide specific technical details, as to how encryption should be used. It rather outlines general requirements and standards for protecting ePHI through encryption.
While organizations must consider using encryption to protect patient data, they are only obligated in doing so, if it’s reasonable and manageable. This can e.g. be determined by conducting a risk assessment.
Key aspects of the HIPAA Encryption Requirements include strong encryption techniques for data at rest and data in transit, Virtual Disk Encryption (VDE), and File / Folder Encryption amongst others.
The challenge of HIPAA encryption requirements
HIPAA encryption requirements create a significant challenge for IT teams charged with ensuring privacy and security in healthcare.
In 1996, the Health Insurance Portability and Accountability Act, or HIPAA, established a rule that all healthcare providers must ensure the privacy of protected health information (PHI). Since that time, email has become a dominant form of communication and is frequently used to share protected patient data. For IT organizations, complying with HIPAA encryption requirements means adopting some form of healthcare secure messaging technology.
The challenge for IT teams is ensuring all email meets HIPAA encryption requirements. A solution that enables healthcare providers to send HIPAA encrypted email is one thing; ensuring that patients and their caregivers outside the organization can send return messages that are encrypted is quite another. Most solutions designed to meet HIPAA encryption requirements involve burdensome administrative features or software that individuals must download in order to receive an encrypted message.
As a leading provider of solutions for email security, archiving and continuity, Mimecast provides an all-in-one solution that makes it easy for healthcare organizations to comply with HIPAA encryption requirements.
Different types of encryption used to meet HIPAA requirements
The most common types of encryption used to meet HIPAA requirements are the Advanced Encryption Standard (AES-256), Transport Layer Security (TLS), OpenPHP (Pretty Good Privacy), and S/MIME.
Comply with HIPAA encryption requirements with Mimecast
Mimecast's cloud-based subscription service enables healthcare organizations to reduce the cost and complexity of managing and protecting email while complying with HIPAA encryption requirements. As an SaaS-based solution, Mimecast can be implemented quickly and scale easily to accommodate changing business requirements.
Mimecast's comprehensive services enable organizations to simplify email archiving, ensuring email continuity even during outages, and to defend against a myriad of healthcare industry cyber security threats. In addition to meeting HIPAA requirements for email, Mimecast provides defenses against ransomware , spear-phishing, and impersonation attacks that are commonly used to penetrate network defenses and steal patient information.
Importance of using encryption for email communications that contain PHI
Protecting patient data is critical. It can include sensitive information such as X-rays, patient images, and other healthcare records, that are highly confidential.
Emails, containing this type of sensitive data, must be encrypted, in order to ensure the confidentiality, integrity, and availability of PHI. Email encryption is an effective way to protect patient data.
The Benefits of HIPAA-Compliant Encryption
The key benefit of HIPAA-Compliant Encryption isare that Covered Entities and their Business Associates are less likely to experience a breach due to unsecure ePHI.
Any data that is being transmitted must be encrypted, and any data that is stored, must also be encrypted. HIPAA-Compliant encryption ensures that data will be protected, even in the event of a device being lost or stolen.
Mimecast Solutions for meeting HIPAA encryption requirements
Mimecast's Secure Messaging service enables organizations to ensure healthcare privacy and security and to easily meet HIPAA encryption requirements. With Secure Messaging, users can simply click Send Secure when composing a message in their email client in order to ensure that the message is sent securely. After they press Send, messages and attachments are securely uploaded to the Mimecast cloud, scanned for malware and viruses, and stored in a secure AES encrypted archive. Recipients then receive a notice that a message is waiting, with instructions about how to log into the Mimecast secure portal to read, reply and compose new secure messages.
Mimecast Secure Messaging also allows organizations to automatically send messages that comply with HIPAA encryption requirements when they contain certain content or are sent to certain recipients or domains.
Learn more about Mimecast and HIPAA encryption requirements.
Comply with HIPAA encryption requirements with Mimecast
Mimecast's cloud-based subscription service enables healthcare organizations to reduce the cost and complexity of managing and protecting email while complying with HIPAA encryption requirements. As an SaaS-based solution, Mimecast can be implemented quickly and scale easily to accommodate changing business requirements.
Mimecast's comprehensive services enable organizations to simplify email archiving, ensuring email continuity even during outages, and to defend against a myriad of healthcare industry cyber security threats. In addition to meeting HIPAA requirements for email, Mimecast provides defenses against ransomware, spear-phishing and impersonation attacks that are commonly used to penetrate network defenses and steal patient information.
FAQs: HIPAA Encryption Requirements
What is HIPAA encryption at rest?
In simple terms, when ePHI is "at rest" or not actively being transmitted, it still needs to be protected from potential breaches or unauthorized access. Encrypting ePHI at rest adds an extra layer of protection by reshaping the data into a format that can only be understood and accessed by authorized individuals who have the decryption key.
HIPAA encryption requirements for data at rest
The HIPAA encryption requirements for data at rest refer to any ePHI stored on a server, desktop file, a USB, or on a mobile device. It’s a best practise to apply HIPAA encryption at rest to as many devices, as possible on which data is maintained, in order to minimize the possibility of a malicious actor gaining access to unencrypted devices.
What is HIPAA encryption in transit?
HIPAA encryption during transit provides a significant advantage by safeguarding electronic communications containing ePHI as they traverse multiple routers between the sender and recipient. Along this route, routers temporarily hold copies of the communications, making interception possible at any point. Encrypting ePHI during transit guarantees that even if a malicious actors gains access to a router or intercepts a communication, the ePHI within remains completely unreadable, undecipherable, and unusable for them.
HIPAA encryption requirements for data in transit
While the HIPAA Security Rule doesn't provide specific technical instructions for encryption methods, it emphasizes the importance of safeguarding electronically protected health information (ePHI) during transmission, or "data in transit".
What are HIPAA encryption requirements for email?
The Health Insurance Portability and Accountability Act (HIPAA) establishes regulations for the privacy and security of protected health information (PHI). The HIPAA Security Rule requires organizations to restrict access to PHI, to protect PHI from unauthorized access, to ensure the integrity of PHI at rest, and to ensure 100% message accountability. While the rule does not set forth specific HIPAA encryption requirements, it does recommend that covered entities and business associates utilize end-to-end encryption when possible, but also allows organizations to adopt solutions other than encryption that accomplish the same thing.
How to meet HIPAA encryption requirements for email?
The two most effective technologies for complying with the HIPAA Security Rule are encryption and secure messaging. Encryption technologies encrypt messages before they are sent, making them impossible for unauthorized individuals to read them if intercepted or inadvertently leaked. Secure messaging solutions provide a platform where users may login to send and receive encrypted messages, adding an additional layer of access control to satisfy HIPAA encryption requirements.
What is a violation of HIPAA encryption requirements?
The most common violation of HIPAA encryption requirements is the failure to adopt adequate end-to-end protections for PHI. Another common violation is emailing protected health information from a healthcare facility to a personal email account, which happens when employees send files to themselves to work on at home. Lost or stolen devices that have unencrypted PHI on them is another common violation, as is disclosing PHI to third parties who do not have adequate encryption protections in place.
Does Gmail satisfy HIPAA encryption requirements?
Gmail is not a HIPAA compliant platform. Organizations wishing to use Gmail with a HIPAA compliant solution may use Google's GSuite, which enables Google to sign a HIPAA Business Associates Agreement. However, because Google does not provide encryption, organizations will need to contract with a third-party provider to satisfy HIPAA encryption requirements.
Does Outlook satisfy HIPAA encryption requirements?
Microsoft offers several versions of Outlook, each of which have different capabilities for complying with HIPAA encryption requirements. Outlook.com, the free version of Outlook, is not HIPAA compliant and cannot satisfy HIPAA encryption requirements. Outlook within Microsoft Office 365 or Outlook that is installed on a desktop or laptop can be made HIPAA compliant with proper configuration, with a HIPAA Business Associate Agreement with Microsoft, and by using a third-party provider for encryption.