Encrypting data to meet hipaa compliance

To address the question of whether or not to use data encryption when it comes to meeting HIPAA compliance and keeping patient health information (PHI) protected, let’s revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

If you choose not to encrypt data, the HIPAA Security Rule states you must implement an equivalent solution to meet the regulatory requirement. The law leaves encryption open to interpretation since covered entities vary when it comes to network and network usage, depending on the type and size of business.

While HIPAA and HITECH address the security and privacy of PHI with more of a policy and procedures-oriented approach with no strict parameters for what type of technology to use, encryption is typically considered a best practice when it comes to protecting sensitive data.


• When it comes to remote access to applications and data in cases of telecommuting or working from remote locations, use a VPN (Virtual Private Network). This network creates a temporary encrypted connection that only exists during the time of use.

• Keeping sensitive data on a portable device is not recommended – it is better to store your data in an offsite location with a secure environment, such as a HIPAA compliant data center with the proper physical and network security in place to protect PHI and prevent a data breach. This is a lesson learned as shown by the case of the Sutter Health HIPAA breach due to a stolen unencrypted desktop PC. An audited HIPAA hosting solution can also offer greater protection with additional security measures such as a virtual or dedicated firewall, backup, antivirus and OS patch management.

• When it comes to mobile devices that store data including CD’s, DVD’s, USBs, iPods and Blackberry’s, encryption of the data on the device can help protect against a HIPAA breach. Other options include putting in place a policy for mobile device use and PHI storage, limiting certain data from being stored on the devices, or implementing access controls to the device, including password protection.

• Other methods that can help you determine if you need encryption include completing a HIPAA risk assessment, performing a gap analysis to find out what you’re missing in your current security environment, and developing and documenting solutions to become more resilient to the risk of a data breach.

Find out more about the Benefits of HIPAA Compliant Hosting and basic definitions in our HIPAA Glossary of Terms. Get examples of HIPAA training, privacy policies, procedures and forms from established HIPAA compliant medical centers and universities in our HIPAA Resources section.

Earlier this year, OCR (Office for Civil Rights) Director Leon Rodriguez was quoted on the topic of HIPAA encryption: “…regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an … Continue reading →

Remember the pilot HIPAA audit program conducted by the OCR (Office for Civil Rights) last year? HealthCareInfoSecurity.com reports on the findings, as revealed in an interview with an OCR attorney. About 44 percent had issues with their uses and disclosures … Continue reading

A recent healthcare data breach was reported by HealthDataManagement.com as a result of a stolen unencrypted laptop, a component of a diagnostic imaging machine. Retinal Consultant Medical Group notified patients that their names, DOBs, gender, race and optical coherence tomography … Continue reading →