Understanding the HIPAA Encryption Requirement
In its original form, the Health Insurance Portability and Accountability Act (HIPAA) was intended to protect patient health information (PHI) privacy. Since the law was enacted in 1996 and as healthcare organizations changed their operating models to incorporate digital data sharing, the government encouraged interoperability for better patient care, and HIPAA expanded beyond paper files to include electronic PHI (ePHI).
Additionally, as these digital data sharing models continued to grow, so too did the types of organizations covered by HIPAA. Today, healthcare organizations and their business associates need to meet stringent compliance requirements to avoid hefty fines levied by the Department of Health and Human Services (HHS), the agency enforcing HIPAA compliance. Understanding the HIPAA encryption requirements gives healthcare organizations and their business associates a way to protect privacy for data both in-transit and at-rest.
Does HIPAA require encryption?
HIPAA consists of four separate “rules,” the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule. In response to the increased digitalization of patient data, HHS announced a final Omnibus Rule in 2013, implementing additional provisions from the Health Information Technology for Economic and Clinical Health Act (HITECH).
Fitting the different pieces of HIPAA together can be daunting because the requirements are listed in various documents aggregated across over twenty years.
Encryption, while not technically “required” by either HIPAA or HITECH, is considered an “addressable” control. Addressable does not mean the control is optional, but it does mean that a covered entity can determine whether an implementation is reasonable and appropriate. If the organization determines that an “addressable” control is not reasonable and appropriate, then it must find an alternative compensating control that is reasonable and appropriate to meet the addressable control’s purpose.
Security Rule Requirements
The Security Rule is divided into administrative, technical, and physical safeguards. Under Security Rule technical safeguards, HIPAA notes that encryption and decryption are addressable implementations as part of the access and transmission security measures.
Connection to National Institute of Standards and Technology (NIST)
Increasingly, healthcare organizations, business associates, and patients turned to electronic data sharing models. In 2014, NIST released its Cybersecurity Framework (NIST CSF) and in 2016 published the “HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework”. The document maps HIPAA Security Rule standards and implementations to NIST CSF subcategories while also cross-mapping to additional frameworks such as the International Organization for Standardization (ISO), Control Objectives for Information and Related Technology (COBIT), and Council on Cybersecurity Critical Security Controls (CCS CSC). The Crosswalk document includes the following:
- PR.DS-1: Data-at-rest is protected
- PR.DS-2: Data-in-transit is protected.
The Crosswalk then aligns across various “relevant control mappings,” including CCS CSC, COBIT, ISO 27001:2013, NIST SP 800-53, and HIPAA Security Rule. Since 2016, several of these control mappings have changed. For example, CCS CSC is now called the Center for Internet Security (CIS) controls while COBIT and ISO 27000 have both been updated.
Thus, while HIPAA may not specifically require encryption, the intersection between the related control mappings and the need to protect data-at-rest and data-in-transit indicates that encryption would be considered a best practice.
What level of encryption is required for HIPAA?
With the intricate level of cross-mapping between the different compliance requirements, the level of encryption required to comply with HIPAA and HITECH can be overwhelming. For example:
- Subcontrol 15.7: Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
- Subcontrol 18.5: Use only Standardized and Extensively Reviewed Encryption Algorithms
- ISO 27000: AES-256 encryption
- NIST 800-53 SC-12 Cryptographic Key Establishment and Management: establish and manage cryptographic keys for required cryptography employed within the information system.
Of the listed controls, only ISO 27000 applies a specific encryption standard, AES-256 encryption, which is currently considered the strongest level of encryption.
Is end-to-end encryption HIPAA compliant?
Experts consider end-to-end encryption (E2EE) the most secure way to share data electronically. With E2EE, data is encrypted both on the user’s device (at-rest) and as it travels to another end user (in-transit). This protects information and enables HIPAA compliance in several ways:
- Lost devices: Even if a device is lost, the at-rest encryption ensures that information is not readable.
- Cloud storage: Even if cybercriminals gain unauthorized access, the data will be unreadable.
- Data sharing: Even if a cybercriminal manages to execute a man-in-the-middle attack successfully, the data will be unreadable.
- Accidental access: Even if an authorized user gains access to data without the appropriate decryption, the data will be unreadable.
With E2EE, health organizations and business associates can better protect data. With easy-to-deploy and use encryption solutions, E2EE is a reasonable and appropriate data-in-transit and data-at-rest protection implementation.
How end-to-end encryption enables secure telehealth
The rise of telehealth as part of healthcare’s response to the COVID-19 stay-at-home orders increases the value of E2EE. Moreover, many healthcare providers will likely continue to engage in telehealth practices in the post-COVID era. However, cybercriminals continue to deploy attacks against telehealth providers. According to research, IT staff at the most popular telehealth application found a 30% increase overall in security alerts, indicating increased cybercriminal attack attempts.
With telehealth likely to be integrated into traditional healthcare, providers and business associates should look for solutions that protect data and enable HIPAA compliance. To maintain various administrative tasks, including follow-up calls or billing, employees may share documents using collaborative tools or email. Moreover, as the healthcare industry continues to evolve its telehealth practices, documents and other files containing ePHI may need to be circulated among practitioners. For example, a practitioner may keep a list of patients with outstanding bills in a spreadsheet. Sharing the spreadsheet via email becomes a privacy and security risk for two reasons. First, cybercriminals may attempt to intercept the communication. Second, an employee may accidentally email the spreadsheet to an incorrect email address. E2EE can mitigate the risks associated with both of these hypotheticals.
Atakama: Easy end-to-end encryption for healthcare organizations and business associates
As healthcare organizations and business associates look to continue telehealth practices, E2EE becomes a fundamental control for mitigating security and privacy risks. Unfortunately, many encryption tools can be cumbersome to deploy and difficult for end-users, ultimately leaving data unprotected when users circumvent encryption policies.
Atakama’s encrypted file transfer solution enables HIPAA compliance with an easy-to-use approach that increases end-user adoption rates. Atakama protects files with AES-256 standard encryption. Unlike traditional tools that require passwords for decrypting data, Atakama’s solution pushes an approval request to the sender’s device, giving the sender the ability to accept or deny the decryption request. Since senders need to approve the decryption request, Atakama ensures that data remains encrypted end-to-end and does so without placing a burden on the users.
Additionally, with Atakama’s Application Level Database Encryption solution, organizations can secure data-at-rest on their servers and data-in-transit when accessed through an application. Atakama’s solution encrypts data within an application, as it is entered and before being transmitted to the database. When users approve a data request, the data is decrypted making non-public sensitive data viewable while still encrypted. This process ensures that data remains encrypted on the server at all times, decrypted only for the particular user within their browser when they call the information.
For more information about how Atakama can enable your organization’s long-term telehealth goals, contact us for a demo today.