Atlantic.Net Blog

Encryption for HIPAA Compliance: A Quick Primer

Sam Guiliano
by Atlantic.Net (81 posts) under HIPAA Compliant Hosting
0 Comments

If you are an IT professional or otherwise know Internet standards, you are probably familiar with SSL (secure sockets layer) security certificates and the concept of encryption. Essentially, any encryption method scrambles data using an intricate codification system and decoding protocol. For example, in the case of SSL certificates, a public key is held by the server, and a private key is provided to each user.

Let’s look specifically at how data encryption applies to protected health information (PHI), which, in a fundamental sense, means EHR/EMR (electronic health/medical records). Clearly, this type of data must be kept under digital “lock and key” due to its profoundly private nature.

Is data encryption mandatory?

As Donald F. Lee III of Algonquin Studios establishes, encryption is not necessary – technically – under the HIPAA Security Rule (the section that addresses encryption standards). Lee points out that the Rule does not state outright that data must be encrypted at any stage of the process. Both of the subsections that address encryption specifications (each contained in the Technical Safeguards section of the Security Rule) list the encryption recommendations as “Addressable” rather than “Required.”

Regardless of Lee’s initial argument, he points out that Health & Human Services clarifies on the Frequently Asked Questions (FAQ) section of their site that lack of encryption would necessitate a sound explanation. Since it would be challenging to argue that data should not be encrypted for its protection, Lee makes clear his central thesis: Yes, you do need to encrypt, even if the Security Rule is somewhat confusing in this regard.

What HIPAA itself states regarding encryption parameters

HHS describes acceptable methods for protecting unsecured data in its advice to comply with the Breach Notification Rule. The guidance lists two different ways to protect data: encryption and destruction. Since the general concern of those with PHI is creating a secure environment for data currently being stored or processed, encryption is the relevant method.

HHS, citing the Security Rule, notes that encryption is described as a process to change data into a different state. It is highly unlikely that it can be understood without the applicable decryption tool. HHS also points out that whatever is being used to decrypt the data must be on a separate machine or somewhere off-site. The stipulations for HIPAA database storage and data transmission are both subject to the specifications of the National Institute of Standards and Technology (NIST).

Specific suggestions for encryption

You may have heard across-the-board suggestions such as, “Don’t store or process any PHI on a laptop.” According to Mike Semel of 4Medapproved, that’s not necessarily the case. It would be best if you had proper protection. Semel suggests that you can either encrypt files individually or do the entire hard drive as a whole. To do the latter, you can use software that automatically encrypts all the data on the drive, called full disk encryption (FDE).

Specifically, Semel recommends using an encryption program on a laptop with a solid-state drive (SSD). You can convert an existing laptop to solid-state for this purpose. He notes that even if the computer were stolen, you still would not be in violation because the new owner would not be able to access the data.

He also specifically suggests setting up a virtual private network (VPN) to access the data remotely so that the Internet connection is not vulnerable. He points out that even if someone can see the data passing back-and-forth on the VPN, none of it will be in a recognizable form.

Mobile devices vs. servers

Any mobile device, including a laptop, needs to be encrypted. Specific issues with this “client-side” of HIPAA infractions are critical and have received significant focus from the HHS.

The other place where you may have an issue is the server-side. That may seem obvious to you, but Lee believes that mobile encryption is more widely applied than is server encryption. For the most part, HIPAA breaches have occurred because a computer has been stolen that did not have the data properly encrypted. Hacking (commonly considered a true “data breach”) has not been as common as a threat.

Unfortunately, more widespread hacking is probably on the horizon, says Leon Rodriguez, who directs the Office of Civil Rights, the branch of the HHS that oversees HIPAA compliance. Again, though, if the data is encrypted within the server, the thief won’t have any usable data.

As you can see, data encryption is not just important at your facility but also in your server infrastructure. Atlantic.Net can walk you through the process of HIPAA Compliant Hosting. With two decades in the hosting business and a full range of security and auditing certifications, including SSAE 16 (SOC 1) TYPE II (Formerly SAS 70), we know how to keep your patients secured, prevent fines, and protect your reputation with award-winning Dedicated Hosting and Cloud Hosting.

HIPAA compliant hosting joke

Comic words by Kent Roberts and art by Leena Cruz.

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award
Inc 500
Global Infosec 2021
28 Year logo
Ehla Badges 2021 Winner
Made In USA

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers

Resources


Recent Posts

How to Install Sails.js Framework with Nginx on Oracle Linux 8
How to Install OTRS on Oracle Linux 8
How to Install and Configure Caddy Web Server with PHP on Oracle Linux 8
How to Install and Use PIP Python Package Manager on Oracle Linux 8
How to Install FTP Server with ProFTPD on Oracle Linux 8

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2008 Lookout Dr,

Dallas, Texas 75044

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources