Nov

25

Expert: Encryption best way to go

By Dom Nicastro

It seems as if everyone is talking about encryption these days, and that is certainly the case on our HIPAA Update blog.

HHS added encryption layers in its interim final rule on breach notification to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in draft guidance
HHS released in April.

“You now need to really consider encryption,” says Jeff Drummond, HIPAA blogger and health law partner in the Dallas office of Jackson Walker, LLP. “That’s sort of your first opportunity to avoid breach notification. You can’t do much about your paper records other than destroying them, which eliminates their utility. But for electronic data, you can keep it and use it, but should encrypt so it is considered ‘secured’ under HIPAA.”

In the interim final rule, the definitions for acceptable encryption include:

• Electronic PHI encrypted as specified in the HIPAA security rule. This includes “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
• Valid encryption processes for PHI in databases consistent with National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
• Valid encryption processes for PHI flowing through a network, including wireless, that comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; 800-113, Guide to SSL VPNs; and others validated by Federal Information Processing Standards 140-2.