HIPAA Tip: Encryption

Per the HIPAA Security Rule encryption software must meet minimum requirements relevant to the state of that information, whether it is “at rest” or “in transit”.

When data is “at rest”, it is stored in a digital medium such as a server hard drive, workstation hard drive or within an electronic medical records system. Data could also be contained in a mobile device like a tablet or phone. HIPAA defines valid protocols consistent with NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices”.

When data is “in transit” it is moving between a sender and a destination. This would include emails or eFax’s containing Protected Health Information (PHI), transmitting data to cloud storage, PHI moving from one office location to another office location (whether this is one organization or another Covered Entity’s location). In transit HIPAA cites NIST Special Publications 800-52 “Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations” and 800-77 “Guide to IPsec VPN”.

Enable encryption whenever possible as this is the safest and most secure method to protect PHI, sensitive data, and Personally Identifiable Information (PII). Investing in encryption can be one of the best ways to protect your organization from hacking and ransomware attacks.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). ANATOMY_IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.