Episode 22: Know The Rules! Data Encryption

What is encryption?

Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula).

If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text.

Is the use of encryption mandatory in the Security Rule?



The HIPAA Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii).

The encryption implementation specification is addressable, and must therefore be implemented if, after an enterprise-wise risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic protected health information (ePHI).


If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.

If the standard can otherwise be met, the Covered Entity (CE) or Business Associates (BAs) may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

You need to decide whether and how to use encryption. Let’s talk for a second about what we mean by encryption. Encryption is a way of scrambling electronic information so that it is unreadable to someone who does not have the authority to read that information.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

3 thoughts on “Episode 22: Know The Rules! Data Encryption

  1. […] Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the […]

  2. […] Consider installing or using encryption software for your […]

  3. […] reported are typical for environments where the WannaCry scanning virus persists, even though the encryption stage has been blocked by antivirus (AV), or is not executing. The virus can persist even on a […]