HIPAA requires Covered Entities and Business Associates to protect electronic protected health information with encryption when it is a reasonable and appropriate safeguard for the risks identified in the HIPAA Security Rule risk analysis, and it provides a breach notification safe harbor when protected health information is rendered unusable, unreadable, or indecipherable to unauthorized individuals using HHS-recognized encryption methods.
Under the HIPAA Security Rule, encryption is an addressable implementation specification for access control and transmission security, including the specifications at 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.312(e)(2)(ii). Addressable means the organization must implement encryption or document an equivalent alternative measure, or document why encryption is not reasonable and appropriate and implement other safeguards that reduce risk to an acceptable level. The decision must be supported by the documented risk analysis and risk management actions and must account for where electronic protected health information is stored and transmitted, including endpoints, mobile devices, removable media, backups, cloud services, email, portals, interfaces, and remote access connections.
Encryption decisions affect incident handling under the HIPAA Breach Notification Rule because notification duties apply to breaches of unsecured protected health information. HHS has issued guidance describing when protected health information is considered secured through encryption and therefore not unsecured for breach notification purposes. This guidance ties the safe harbor to specific approaches and standards for encryption and for destruction of protected health information on media, and it applies to electronic protected health information and, where relevant, to portable electronic media.
Operationally, encryption should be addressed in policies, technical standards, and vendor governance. Covered Entities and Business Associates should define where encryption is required based on role-based access, device classes, transmission methods, and vendor integrations, and they should verify that encryption is enabled and enforced through configuration management and audit processes. Business Associate Agreements should address encryption responsibilities, key management practices, and incident reporting duties when a vendor creates, receives, maintains, or transmits protected health information on behalf of the regulated entity.