News & Insights

Articles, Company Updates and More

The HIPAA Security Rule Access Control Standard Part 4: Encryption and Decryption

May 15, 2024

By Kenneth E. Rhea, M.D., FASHRM, LAMMICO Physician Consultant

The HIPAA Security Rule Access Control Standard Part 4: Encryption and Decryption
SHARE :           

Under the HIPAA Access Control Standard, a covered entity (CE) is required to “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.” The Access Control Standard has four implementation specifications in Technical Safeguards:

  1. Unique User Identification (Required Specification)
  2. Emergency Access Procedures (Required Specification)
  3. Automatic Logoff (Addressable Specification)
  4. Encryption and Decryption (Addressable Specification)

The first three articles of this series discussed Unique User Identification, Emergency Access Procedures and Automatic Logoff. This article provides information on the fourth addressable specification related to encryption and decryption.

As discussed in the third article, this specification, as well as automatic logoff, requires analysis of how likely the specification implementation is to protect electronic protected health information (ePHI), if it is a reasonable and appropriate safeguard for the practice environment and whether it applies to the CE or business associate (BA) involved. These determinations will decide the use of encryption and decryption. Strange as it may seem, the HIPAA privacy and security regulations do not mandate encryption though, as in this specification, it is recommended for consideration or use of an equivalent alternative measure. If it is determined that encryption is not reasonable and appropriate, document the reason for the decision.

When reasonable and appropriate, though not mandated, this specification requires a CE to “implement a mechanism to encrypt and decrypt electronic protected health information.” Encryption in this context is defined as a method of converting original information into encoded information accomplished using some coding procedure or formula. When the ePHI is encrypted, there is a very low probability that anyone other than the individual receiving the encrypted information who has the key to the code would be able to decrypt or translate the ePHI. “Low probability” does not mean a guarantee, but the government will assume it is a reasonable protection.

The objective is securing ePHI, and HHS considers encrypted information secure. In an OCR investigation of a medical practice after a laptop computer was lost containing ePHI, investigators found that the ePHI had not been secured. The result was a monetary penalty to the practice of over $1 million. In a type of reverse definition, HHS defines unsecured PHI as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology” specified by the HHS Secretary.

The considerations for this standard are:

  • To determine whether encryption and decryption are reasonable and appropriate safeguards,
  • If encryption and decryption are not reasonable what other equivalent alternative measure could be used,
    • Document the reason that use of encryption and decryption is not reasonable and appropriate,
  • If encryption and decryption are to be used, what type would be appropriate,
  • Incorporate the final decision into operational policies and,
  • Include methods of use in workforce training with updates for any procedure changes.

Far advanced from Julius Caesar’s substitution cipher in 60 B.C., there are many different and readily available encryption technologies, such as Advanced Encryption Standard (AES) 256-bit encryption, allowing data to be secured, i.e., prevention of ePHI from being accessed and viewed by unauthorized individuals. Therefore, while not mandated, in most situations, using encryption to secure ePHI is advisable, e.g., ePHI on phones, laptops and flash drives. 

This series of articles has addressed one section of the Security Rule related to access control. For further cybersecurity information on this subject and many others, LAMMICO offers policyholders complimentary access to the TMHCC CyberNET®, an advanced cyber risk management resource and education center. Log in as a Member to access the TMHCC CyberNET® portal. Provided in partnership with cyber risk experts, Tokio Marine HCC, this excellent resource is continually updated and well worth the time to review.

Annual Reports:

Receive Regular Updates: