HIPAA Security Rule Section 164.312 Encryption and Decryption

This post is about HIPAA Security Rule Section 164.312 Encryption and Decryption. Encryption is a process used to make data incomprehensible to unauthorized users and readable to authorized users by encoding. In healthcare information technology, encryption is a very important tool in protecting patient data and is addressed in HIPAA Security Rule Section 164.312 Encryption and Decryption under Technical Safeguards.

Understanding HIPAA regulations dealing with the protection of electronic Protected Health Information (ePHI) can be daunting, yet extremely important. If you work in Healthcare IT you may already be familiar with 45 CFR § 164.312 Technical Safeguards (a)(2)(iv) Encryption and Decryption. This is the section dealing with the encryption of ePHI data and or devices that store, transmit, or work with ePHI (i.e. disk drives, USBs, directories, etc.) The rule reads as follows:

"(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information."

Well, that seems very to the point. But just what does Addressable mean as pertains to HIPAA Security Rule Section 164.312 ? Are covered entities required to encrypt or not? It took a bit of research and half a cup of coffee but here is the answer coming from a reliable source.

"Is the use of encryption mandatory in the Security Rule? Answer:No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."

via Is the use of encryption mandatory in the Security Rule?. Thus, in order to comply with HIPAA Security Rule Section 164.312 encryption requirements, a covered entity must conduct a Security Risk Assessment first to determine if encryption is warranted for their organization and to what extent. If they find it inappropriate or unreasonable, the reasoning behind that determination should be documented.