HIPAA: Encryption is NOT Required…What?!?
No, that headline is not a misprint. Contrary to common assumptions, Congress decided that the Health Insurance Portability and Accountability Act (HIPAA) should not—and, therefore, does not—require the use of encryption to secure your patients’ private medical data (aka, electronic Protected Health Information or ePHI).
WARNING: IF YOU STOP READING NOW AND SIMPLY DECIDE THAT YOU DO NOT NEED ENCRYPTION, YOU MAY WAKE UP ONE DAY TO THE WORST FINANCIAL AND PUBLIC RELATIONS NIGHTMARE IMAGINABLE. SO, READ ON…
Required vs. Addressable: What’s the Difference?
Congress adopted two types of implementation specifications in HIPAA—“required” and “addressable.” Those labeled “required” must be implemented, or it will be deemed an automatic failure to comply with the HIPAA Security Rule. On the other hand, those labeled “addressable” must be implemented only if, after a risk assessment, the covered entity (that’s you, if you’re a Health Care Provider, Health Plan, or a Health Care Clearinghouse) has determined that encryption is a reasonable and appropriate safeguard for managing risks to the confidentiality, integrity and availability (CIA) of ePHI.
A brief sidebar about the CIA triad: confidentiality protects against unauthorized disclosure, while integrity protects against unauthorized modification or destruction, and availability protects against disruptions to access and use of ePHI. Got it? Now, back to our story…
However, if you determine that encryption is not reasonable and appropriate (think about this carefully), then you must document your rationale for that decision and do one of the following:
- Implement an equivalent alternative to encryption that is reasonable and appropriate; or
- If safeguarding ePHI can otherwise be achieved, then HIPAA even allows you to choose not to use encryption or any equivalent alternative measure, provided that you also document the rationale for this decision. 
Shocking, isn’t it?
Now, if you’ve thought about that carefully, you’re probably wondering something along the lines of: “What if HHS audits me and they don’t agree with my carefully documented rationale for deciding that encryption is not reasonable and appropriate to protect my patients’ private medical data?” Perfect question! And therein lies the problem. It is difficult to even imagine a situation where it would be “reasonable and appropriate” to decide not to use encryption to protect ePHI.
So, even though HIPAA does not literally require encryption, it effectively requires encryption because there is no reasonable and appropriate alternative for protecting ePHI.
In other words, when it comes to using encryption to protect ePHI, there is little (if any) difference in Congress labeling it as “addressable” rather than “required.” Not using encryption is simply too risky for your patients’ ePHI and, therefore, even riskier for your business.
Encryption: HIPAA’s Data Breach Safe Harbor
Under the HIPAA Breach Notification Rule, there are essentially two types of ePHI—unsecured (i.e., unencrypted) and secured (i.e., encrypted). Under HIPAA, every breach of unencrypted ePHI requires you to provide time-bound notifications to:
- Affected patients;
- The Secretary of HHS (i.e., the federal government); and/or
- Prominent local/state media outlets.
This, of course, will put you at risk of federal and/or state investigations, fines, possible lawsuits, and the worst kind of public relations disaster imaginable. This will almost certainly result in lost business and consumer trust.
But there is good news… no… GREAT NEWS! Under the Breach Notification Rule, encrypted ePHI that is “breached” (e.g., lost, stolen, or accidentally/intentionally sent to the wrong recipient) is not considered a breach at all. How? Because ePHI that is encrypted cannot be read or otherwise used without the key(s) required to decrypt it.
So, if you use it, encryption is your lawful HIPAA-endorsed safe harbor against everything you want to avoid in the event of a breach of ePHI. Going back to our previous segment, even if you somehow came up with that rarest of all situations—where using encryption to protect ePHI was not reasonable and appropriate, you still need to use it because doing so gives you a complete “out” when the worst of all possible ePHI scenarios—a data breach—occurs.
In summary, although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because:
- It is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and
- If you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable by simply using encryption.
Encryption with Microsoft Software
Security is an enormous concern for businesses in any industry—but especially in those that deal with confidential and sensitive information, such as healthcare. So, what steps can your health care business take to protect itself? You can start by ensuring the software and collaboration tools your healthcare providers and employees use have robust security measures, especially when it comes to stored medical files and sensitive communications (such as sending a patient’s records between medical professionals).
With a subscription-based, continuously-updated software like Office 365 Business, all tiers come equipped with data encryption, both for data at-rest and in-transit. This way, even if a data breach does occur, malicious users will not be able to understand your data without further hacking capabilities. With Office 365 for Business, there is no need to worry about data encryption or even make a conscious decision about it—all of your communications and data through Teams and Office 365 will automatically be encrypted.
Additionally, as long as you can connect to the subscription-based business enterprise software’s server, you will always have the latest security patch for the software. Office 365 security even goes a bit beyond simply applying patches to fix security vulnerabilities. If your business is utilizing the Premium tier of the software, users will also get:
- Enforced multifactor authentication for users;
- Region-based data residency; and
- Phishing email protection (in the Outlook tools).
These Microsoft Office security benefits help to safeguard the business against cybersecurity breaches and have peace of mind that your confidential data is always encrypted. To set up Teams and Microsoft 365 for Business so your healthcare organization can experience data encryption, reach out to the team at Protected Trust today.
 See: 45 CFR § 164.306(d)(3) detailing the difference between “Addressable” and “Required” implementation specifications at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1306;
45 CFR § 164.312(a)(2)(iv) labeling encryption and decryption as “Addressable” at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1312; and
the HHS HIPAA Encryption FAQ at http://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html