Is encryption a HIPAA compliance requirement? Based on how the law was written it can be hard to tell.
I for one get nervous when I ever see “encryption” and “Congress” or even “government” in the same sentence. Information security transcends partisan lines since it affects us all equally. It’s great that both sides are beginning to see the importance of information security, and more specifically encryption as indicative to national security.
Lawmakers Don't Know the Facts
The problem is that most members of Congress are not technologically savvy and do not have the proper insight to make educated decisions when it comes to writing laws concerning technology and protected healthcare information (PHI). Lawmakers need to be careful with what they say and how they say it when it pertains to information security and compliance.
Protected Trust released an article back in March 2016 that paints a perfect example of Congress undermining encryption and compliance regulations, specifically stating that encryption is not required to be HIPAA compliant. However, not encrypting data means that if and when PHI is breached then you are on the hook for fines, civil suits, and a PR nightmare. How many companies heard this from lawmakers and decided right then and there that encryption no longer matters?
The fact of the matter is that HIPAA is nowhere near a perfect compliance standard, there is no such thing. The devil is in the details, so to speak. To choose to define encryption as not required for the aforementioned standard does a serious disservice to businesses, particularly the healthcare industry. It potentially gives decision makers in the healthcare industry the wrong idea--they don’t need to bother with encryption because it isn’t required.
Encryption is a HIPAA Compliance Requirement
The problem is that it even though it isn’t required under HIPAA you still need to give a documented reason to why your business doesn’t use encryption if you happen to be audited or even worse, breached. And because you there is no reason why a healthcare company would not encrypt PHI data, if you do become victim of a data breach your company is going to be in serious trouble.
Just a few months ago, St. Joesph Health in California was fined $2,140,500 and now has to implement corrective actions to protect from future breaches. About 30,000 patients were publicly accessible though internet search engines, such as Google. Allegedly this happened due to the improper implementation of a new server. You can read the full resolution agreement on the HHS website.
Despite encryption being labeled as “addressable” vs. “required” in HIPAA, encryption is the biggest requirement to achieve HIPAA compliance. How else are you going to secure your data from outside threats? Even if your business doesn’t get breached, auditors are still going to figure out that your business doesn’t have the proper security controls in place.
Ultimately, if your business doesn’t have the proper security controls in place, such as encryption and proper network access rights, you won’t know you’ve been breached until someone reports the damage of a breach. By that time, it’s too late. You’re open to law suits, fines, and a PR mess. But don’t take Congress’ word for it because like usual they are either lying or ignorant to the facts.