The Health Insurance Portability and Accountability Act (HIPAA) establishes and regulates national standards for electronic health care transactions. According to the website of the U.S. Department of Health and Human Services:
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information…. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
HIPAA Encryption Requirements are still considered as being vague and a matter of contention. The main part of confusion lies in the encryption of the Protected Health Information (PHI) that falls under the definition of addressable requirements.
When we talk about addressable, it implies that the data protection regulation should be implemented and taken seriously or any other measure that produces the desired equal result or effect should be enforced. The Practice Management Center of the American Medical Association points out, is to “…render electronic personal health information (ePHI) unusable, unreadable or indecipherable to unauthorized individuals…”. Some of the best practices of HIPAA Encryption are:
- The encryption should be certified by the National Institute of Standards and Technology (NIST)
- Using an encryption key management appliance that is FIPS 140-2 certified. Federal information processing standards codes (FIPS codes) are a standardized set of numeric/alphabetic codes issued by the National Institute of Standards and Technology (NIST). They are designed to establish uniform identification of geographic entities through all federal government agencies.
- Encrypting all details and records that deal with ePHI, for example, , medical records, emails and files.
- Any data or information published online should be encrypted.
- The encryption of data on laptops, or systems.
- Encryption of data that goes outside the organization’s premises.
- Best practices also demand that any session during which that data was accessed should be encrypted and be taken with utmost seriousness. All the above best practices should be taken up by the employees and consider them making a custom so that there is no unauthorized disclosure of the information.