Home Health & Hospice Week

Industry Notes:

Check Out Myth-Busting Information On HIPAA And Encryption

Check your assumptions about HIPAA compliance and encryption.

Many providers think electronic protected health information (ePHI) must be encrypted to be HIPAA compliant. Believe it or not, that’s not the case.

In “Security Standards: Technical Safeguards,” the De­partment of Health and Human Services outlines four imple­mentation specifications for “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Of the four, only two — unique user identification and an emergency access procedure — are required. The two others — encryption and decryption, along with an automatic logoff — are not.

Why? Clearly, a CE has to do something to safeguard computers, phones, or other technology that it uses to store and transmit ePHI, and encryption is ideally suited for that purpose. But if after a risk analysis the organization decides that encryption will not help it protect ePHI from “anticipated threats and hazards” in a “reasonable and appropriate way,” then the entity must “implement an equivalent alternative measure,” according to another HHS document, “Security 101 for Covered Entities.”

That said, while encryption is not required to protect ePHI, it is more than just a pretty good idea.

The brief is at www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf and HHS tips are at www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/security101.pdf.

Other Articles in this issue of

Home Health & Hospice Week

View All