Encryption & HIPAA: Addressable does not mean optional

Posted: Dec 12, 2016
Share This:

Encryption is the process of converting readable information into indecipherable code, while in transit or storage. Encryption is important because it prevents unauthorized parties from accessing sensitive data or information, which for the healthcare industry in particular, is critical for keeping patient health records private.

While no organization is immune to the threat of security breaches, the process of encryption can significantly decrease the chances of data breaches occurring. Yet despite this, many healthcare organizations are falling short when it comes to encryption; a recent report suggests more than half of compromised records in the healthcare sector are the result of a failure to encrypt data, as opposed to just 16% of breaches in other sectors.

What HIPAA says about encryption

Despite the relationship between encryption and health data security, encryption is not a specific requirement under HIPAA. However, that does not mean it can be ignored, far from it.

Under HIPAA, there are three sets of safeguards that define security standards to help ensure the confidentiality of patient information, which are Physical, Administrative, and Technical.

The Technical safeguards are broken down into six standards that focus on the technology that protects and controls access to PHI. Within these six standards, there are nine key areas that organizations need to implement, classified as either ‘required’ or ‘addressable’.

‘If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards.’  

‘In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented.’ – HHS.gov

Encryption (and decryption) fall into the addressable category. This is where issues can arise, because the term addressable is easily misconstrued. To be clear, just because encryption is an addressable safeguard, it doesn’t mean it is optional. By ignoring encryption, healthcare organizations leave themselves significantly more vulnerable to security breaches and the fines that come with it.

In summary

For HIPAA covered entities and their business associates, safeguarding patient data no longer an optional. Failure to comply with HIPAA can result in both civil and criminal penalties, not to mention long-term reputational damage. At Scrypt, security is our highest priority. We know how important the safeguarding of sensitive data and personal information is to our customers, which is why we encrypt all documents with full 256-bit SSL security and AES algorithms. You can find out more about our commitment to security and encryption at https://www.scrypt.com/company/security/.