HIPAA Encryption: What You Should Know
HIPAA encryption is recommended under federal regulation by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), but what is it and why do you need it? The HIPAA Security Rule sets specific safeguards that must be in place to protect ePHI. Although not specifically mandated, encryption is the best way to protect ePHI and reduce the probability of a breach of your patients’ or customers’ sensitive health data.
What exactly is encryption?
Encryption takes your data or written text/PHI and turns it into unreadable text using software or algorithms. This unreadable text can only be deciphered through an encryption key that will allow you to read it once again. Data encryption requirements protect your data even in the event of a breach or theft, and can leave the data useless to anyone who obtains or steals it.
Data at rest vs data in motion:
Data at rest is considered any data stored in an electronic format being stored on a device. Data is effectively “at rest” any time it is not being transferred from one end-point to another.
Data in motion is considered any data in the process of being transferred. This includes data sent via email or other transfer medium.
HIPAA encryption requirements recommend that covered entities and business associated utilize end-to-end encryption (E2EE). End-to-end encryption is a means of transferred encrypted data such that only the sender and intended recipient can view or access that data. This is distinct from other means of data transfer wherein encrypted data is temporarily stored on an intermediary server. If an encrypted data transfer requires that data go through an intermediary server (as is the case with regular email, iMessage, etc.) it is not HIPAA compliant and cannot be used by HIPAA-beholden entities.
Full Disc Encryption:
Full disc encryption is a type of encryption that encrypts your entire computer. This is distinct from other types of file encryption, which only isolate and encrypt individual files within your hard drive. Full disc encryption will protect your computer systems from malicious attacks aimed at your sensitive health care data. This is an essential means of HIPAA encryption that is used to protect data-at-rest, as defined in HIPAA regulation.
Off-site back-up is another powerful means of protecting your data, which does not necessarily involve HIPAA encryption. However, when it comes to recovering data in the aftermath of a ransomware or malware incident, off-site HIPAA back-up can protect your practice and get you back up and running at full capacity. Off-site back-up services will allow you to make a copy of all the data that you store within your computer systems on a server that is stored off-site from your office or facilities. Storing this data in a different, off-site location is critical, especially in circumstances like unforeseen natural disasters that may cause harm to your offices. With the data being stored off-site, you can quickly and easily re-establish access to deliver care to your patients.
What exactly can Encryption protect you from?
Ransomware: With a huge increase in ransomware incidents, especially affecting healthcare due to the value of PHI, the only true way to protect your data is by implementing HIPAA compliant backups, and encryption of your data. Backing up your data stops you from having to pay the “ransom” to get your information back, while encryption stops the thieves from accessing your data.
Email Breach: Encrypting your emails helps protect the content in the emails you send from being read by an unintended recipient–this is how end-to-end encryption works.
Laptop Loss/Theft: In the case of a lost or stolen laptop, full-disc HIPAA encryption can save you from a serious breach, like the one that triggered the OCR investigation and subsequent $3.9 million HIPAA fine.