HIPAA Security Rule
The decision to use encryption of ePHI as a safeguard depends on several factors. The HIPAA Security Rule allows the transmission of electronic PHI (ePHI) as long it is safeguarded. After a careful analysis of their system, an organization may decide that Encryption of ePHI as a safeguard is in their best interest. The healthcare provider may then decide to use encryption as the means of protection of sensitive ePHI.
The encryption standard is confusing because it is defined as an addressable requirement. This means it should be implemented if it is a reasonable and appropriate safeguard for the protection of ePHI. The entity may determine it is the best safeguard in its risk management of the confidentiality integrity and availability of ePHI. Consequently, an organization should consider the use of this and implement it in its management of ePHI. This must then be documented in the plan.
No Specific Requirements
When the Security Rule was enacted, it was recognized there were rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards that could be soon outdated. It is up to the organization to do a careful risk assessment. Based on this they may create the appropriate mechanism to protect ePHI. Presently the use of encryption of ePHI is an effective tool. It is a good safeguard for the safe transmission of email and texts through the cloud. In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.
Alternative to Encryption
Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate. They may then present their alternative to protect ePHI. They may also decide to do neither and determine the standard may otherwise be met. The provider should document its reasons for its decision.