The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was updated to include the Security Rule, which specifically focuses on electronic forms of Protected Health Information (ePHI). This was done as a result of doctors and other healthcare practitioners shifting from paper files to electronic media. With more and more doctors storing patients' personal information on computer hard drives, the cloud and other electronic media, there's a greater need for regulations pertaining to electronic media.
Of course, one of the easiest and arguably most effective ways to safeguard ePHI from unauthorized use is to encrypt it. Encryption involves converting an original message or data into an encoded message. The message is encrypted through the use of an algorithm. This doesn't necessarily prevent other users from accessing it. Rather, it prevents them from reading the original message without the respective decrypt key. If someone were to access an encrypted patient's file, they wouldn't be able to read the actual data unless they had the decrypt key.
So, does HIPAA require doctors or other covered entities to use encryption? Contrary to popular belief, the answer is no. Neither the HIPAA Security Rule nor Privacy Rule requires covered entities to encrypt ePHI. Instead, the final Security Rule lists encryption as an addressable specification, meaning it must be implemented if the covered entity determines that it is reasonable and appropriate after conducting a risk assessment. Furthermore, covered entities must document the reasoning behind their decision of whether or not to use encryption (or any other addressable specification). Furthermore, if the standard (encryption) can otherwise be met, the covered entity may choose to not implement the specification or any equivalent measure.
Here's the thing: encryption almost always proves beneficial in protecting patient's personal information from unauthorized use or disclosure. Therefore, covered entities should typically implement this specification. When ePHI is encrypted, it's naturally protected from prying eyes – unless the individual accessing the ePHI has the decrypt key.
Don't make the mistake of leaving your ePHI unencrypted. While technically an addressable specification, encryption is a useful tool in securing ePHI and protecting it from unauthorized use or access. If you aren't familiar with encryption, you can always outsource this task to a third-party, assuming you use the appropriate Business Associates Agreement (BAA).
To learn more about encryption and its use in the medical field, check out the Department of Health and Human Services (HHS) website at https://www.hhs.gov/sites/default/files/nist800111.pdf.