Data Encryption and HIPAA Compliance: What You Need to Know

Posted by Rebecca Santorios on January 7, 2016

A HIPAA compliant cloud has a system of safeguards in place to protect ePHI. Advanced data encryption is a fundamental part of this system. If you're looking closely, you might notice that it's technically true that data encryption isn't defined as 'required' by HIPAA regulations, since it is an 'addressable' specification. But don't be fooled – if you're storing ePHI, encryption should be a part of your solution. Without it, you're far more likely to run afoul of the regulations, and your business could suffer for it.

The Main Cause of Breaches Requiring Notification

Of the 75 breaches posted by HHS for the year so far, over half are due to lost or stolen devices or media. Many of these resulted in substantial fines, as well as damaged reputations. While a HIPAA compliant cloud helps prevent these types of security failures in the first place, the HIPAA regulations make it clear that encryption is also key.

What Do the Regulations Say About Encryption?

45 CFR 164 Subpart C lists the security standards for protection of ePHI. This includes implementation specifications, which provide deeper detail about how to comply with these standards. Implementation specifications are either 'required' or 'addressable'. If a specification is 'required', then a covered entity must implement that specification. If it's 'addressable', then is permissible not to implement the specification – as long as you document your reason, and implement an equivalent alternative measure.

Data encryption is an 'addressable' specification, but it's tough to come up with a valid reason not to encrypt your data, and even tougher to find a reasonable substitute.

What Happens If Your Data Isn't Encrypted?

Encryption makes the difference between a breach that requires notification and one that doesn't.

If you do suffer a breach, you'll need to notify each individual whose data was impacted, as well as the HHS (either immediately or in an end-of-year summary, depending on scope), and in some cases local media. Your business and your reputation will undoubtedly suffer. If the breach impacts over 500 individuals, you can expect it to be posted online, meaning a quick search of your company will reveal to anyone that you've had a security failure that potentially exposed protected health information.

However, per Subpart D, you only need to provide notification of breaches of unsecured protected health information. This is defined in 45 CFR 164.402 as "protected health information that is not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology" that is specified in a guidance from the Secretary of the HHS. And what does that guidance say? In essence, it says that unsecured PHI can be rendered unusable, unreadable or indecipherable by either:

  1. Encryption, or
  2. Destroying the media on which it is stored

Since destruction isn't typically applicable, encryption is the way to go. It's fundamental to your HIPAA compliant data system.

Part of Your Total Compliance Solution

Remember that encryption is just one part of your system for full compliance. A HIPAA compliant data center helps you avoid breaches like these by keeping your critical data safely in the compliant cloud, and out of the hands of unauthorized users. They'll have advanced encryption technology to help make sure that any unauthorized access doesn't result in disclosure of ePHI. Most importantly, they'll have a full system in place to protect your data and adhere to HIPAA regulations.

ByteGrid is one of the only EHNAC accredited datacenters. We offer HIPAA compliant cloud solutions that are as plug-and-play as you can get. Contact us today to learn more about truly compliant cloud hosting.