Does HIPAA Require Data At Rest Encryption?


What You Need To Know About HIPAA And Data At Rest Encryption

The passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 has led to a radical transformation in the manner by which patient information can be shared. Under the Security Rule of Title II of HIPAA, healthcare facilities, as well as other relevant entities, are required to take whatever measures that may be necessary to safeguard patient electronic health information. The encryption and decryption of electronic health data are one of the recommended implementation specifications by the Security Rule to protect patients’ information.

DOES HIPAA REQUIRE PATIENT DATA ENCRYPTION?

There are four implementation specifications under the Security Rule, two of which are required while the other two are addressable; the encryption of patient electronic health information is an addressable implementation specification under this rule. What this means is that healthcare facilities and other covered entities have a lot of latitude in determining if they need to encrypt their patient data; though recommended under HIPAA, it is not a strict requirement.  Healthcare facilities, as well as covered entities, have the choice to implement data encryption, use alternative methods to secure their patients’ data, or not implement any methods to ensure the protection of their patients’ electronic health data.

WHY ELECTRONIC PATIENT DATA SHOULD BE ENCRYPTED

Even though the encryption of electronic patient data is a recommendation rather than a requirement under HIPAA, it is still advisable to do so. Failure to encrypt electronic patient information can result in several negative consequences in the event of a data breach:

  • Financial loss: Fines can be instituted by the appropriate regulatory bodies if the determination is made that there were insufficient security practices in place to secure electronic patient data. In addition, the healthcare facilities may have to make financial compensation and other forms of remuneration to victims of the data breach.
  • Loss of reputation: Following a data breach, the impacted healthcare facility often loses the trust of its patients. These patients are unwilling to return to that facility for medical attention and go elsewhere instead.
  • Identity theft: Patients who have their medical information stolen following a data breach often live at risk of identity or financial theft.

PATIENT ELECTRONIC DATA STATES

One consideration that should be made before any patient data encryption is the state of the digital data. Patient electronic data can be in one of three states namely:

  • Data in use: This is data that is being actively utilized by an application; the data is either being updated or deleted.
  • Data in motion: This refers to data that is in transit across network cables or wirelessly from its storage location to its terminal destination such as a computer.
  • Data at rest: This is data not currently in use residing in a storage location which could be on hard drives, physical servers, or in the cloud.

For patient data encryption to be effective, all data states have to be encrypted. However, particular attention has to be paid to data at rest during data encryption because most patient data are in this state; typically, patients’ electronic data lie dormant in their storage repository until needed. With the advent of cloud computing, a lot of healthcare facilities have chosen to store their patient data in the cloud thereby presenting a tempting target for hackers and other unscrupulous individuals. Therefore the main focus during any discussion about patient data encryption is data at rest; data encryption is not adequate until the patient data at rest is fully encrypted. Due to the complexity involved in patient data encryption, the services of an expert is generally recommended.

At Interoptex, we know what it takes to protect your patients’ data from hackers and other nefarious individuals. Even though data encryption is an addressable implementation specification rather than a requirement, we believe that encryption is best practice in safeguarding patients’ data. Our HIPAA-compliant cloud solution is designed to provide the level of encryption and privacy you need to keep your patients’ medical data secure in the cloud. Contact us today for more information about our services.