HIPAA Security Rule
The HIPAA Security Rule allows the transmission of electronic PHI (ePHI) as long it is safeguarded. It is up to the healthcare provider to decide on the use of encryption based on the results of its risk assessment.
The encryption standard is confusing because it is defined as an addressable requirement which should be implemented if it is a reasonable and appropriate safeguard for the protection of ePHI.
No Specific Requirements
When the Security Rule was enacted, it was recognized that due to rapid advances in technology it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards that could be soon outdated.
Alternative to Encryption
Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate and present their alternative to protect ePHI or it may decide to do neither and determine the standard may otherwise be met. The provider should document its reasons for its decision.