Question: Is the use of encryption mandatory under the HIPAA Security Rule?
Answer: Some people believe that encryption is a required security implementation specification and that all covered entities (CEs) must implement encryption for transmitting and storing electronic protected health information (ePHI), but this is wrong, according to a Nov. 20 blog posting by attorney Mary Beth Gettins of Gettins’ Law.
In fact, the HIPAA Security Rule does not mandate the use of encryption. If you determine in your risk analysis that encryption is not reasonable or appropriate, or if alternative measures are in place, you do not need to implement encryption, Gettins explained. But you must document the decision not to implement encryption and your rationale for that decision.