Cryptographic requirements for HIPAA compliance

News and research before you hear about it on CNBC and more. Request a one-week free trial to StreetInsider Premium over here.

NEW YORK, Sept. 1, 2022 (GLOBE NEWSWIRE) — The Health Insurance Transfer and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to prevent disclosure of sensitive patient information without their consent or knowledge. As such, several coding requirements have been established to comply with HIPAA. However, due to the wording that requires encryption to be a “addressable” requirement, there is some confusion about the exact nature of the appropriate encryption levels.

HIPAA also states that Covered Entities (CEs) and business partners must “implement” a mechanism to encrypt personal health information when appropriate, which is also a bit ambiguous. So when do companies have to crypto to meet HIPAA requirements?

When is encryption?

While the wording may be vague, it is also clear that encryption is a key requirement for HIPAA compliance, and therefore companies should err on the side of caution. Risk assessments must be made and cryptographic decisions must be justified to provide the highest levels of security possible at all times.

Encryption may not always be required when information is only transmitted within an enterprise firewall, as this prevents access to unauthorized parties. However, assume that sensitive patient information goes beyond this firewall. In this case, it must be encrypted in order to meet the required level of compliance – unless the patient has given permission for the information to remain unencrypted. This is what is meant by “addressable protection” in the HIPAA text.

How to handle coding issues

One of the main reasons for the deliberately ambiguous wording of the HIPAA text was that the authors did not want to be too prescriptive about the technology required, because they were aware that this would inevitably change within a few years of the law’s entry. As such, the bill was written to provide open space for what the requirements mean going forward – in a way that is “technologically neutral”. However, the implication is that CEs must implement the most appropriate encryption solutions for their individual circumstances, given the technology available to them. As mentioned, this is required to justify it and assess the risks to provide adequate levels of security.

Encryption requirements must apply to all parts of a CE’s IT system, from computer terminals and mobile devices to servers.

Email encryption

HIPAA regulation permits transmission of personal health information via email provided that such information is adequately protected. Therefore CE managers must perform a risk assessment to determine if encrypted email is necessary to meet expected security levels. This assessment should identify confidentiality risks and outline a plan to reduce that risk to an appropriate level.

In general, this will use encryption for all messages. However, regardless of the decision, all details of the assessment and any alternative protection measures must be documented and made available for inspection.

Email Encryption Benefits

With the proliferation of personal devices in any workplace, which are used by many employees to help manage workflow, encryption may be necessary in many companies or organizations. It may be necessary to use a secure messaging platform that complies with HIPAA requirements to prevent unauthorized interception of data. These secure services can only be accessed with proper authorization and fulfillment of requirements in terms of identity authentication, access and data transmission integrity.

Contact: [email protected]

This content has been released through the press release distribution service on

Source: Mimecast

Leave a Reply

%d bloggers like this: