Auditor Tips: Implement Encryption

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.

"Currently, the strongest, most common encryption algorithm is AES-256.”

Even though HIPAA regulations indicate that encryption is an addressable item (§164.312(a)(2)(iv), §164.312(e)(1), §164.312(e)(2)(ii)), HHS has made it very clear in its posted settlement details that ePHI should be encrypted or protected in other ways of equal or greater effectiveness.

There are three common data protection processes that are often confused: masking, hashing, and encrypting. Let me break them down for you:

1. ‍Masking is when you hide part of the data from view.It’s still there in clear text, you just can’t see all of it on the screen. Masking is used to hide parts of the patient information not needed by specific workforce members and to reduce shoulder surfing compromises. Masking is good practice whenever ePHI is displayed, but masking alone will not protect PHI from being compromised.‍
2. Hashing is when you run the data through a mathematical algorithm to change it into something indecipherable. You can’t undo a hashed value to get back to the original data.Generally, healthcare entities don’t hash PHI.‍
3. Encrypting is similar to hashing because data is run through a mathematical algorithm. However, in addition to providing the data to encrypt, you also provide an encryption key. The algorithm uses the key to encrypt the PHI data. The key may be used to later decrypt the data.Depending on the encryption algorithm, you may use the same key to decrypt the data or there may be a separated encryption key. This way the data is safely stored and the only way to see the data is by using the decryption key to unlock it.

You should use encryption to protect PHI any time it is stored. You should also use masking to display only the information each user requires to complete their responsibilities. This will help you meet the Minimum Necessary rule.

Whenever implementing encryption, always use the strongest algorithm your system can handle, such as AES-256. TDEA (or 3DES) is a weaker algorithm and will soon be disallowed. Therefore,TDEA is not recommended for new implementations.

Remember that many older algorithms are not acceptable (e.g., RC4, 3DES).

Finally, it is critical to protect the key used to decrypt PHI. The strongest lock is useless if the key is easy to obtain. Backups of keys should be stored securely. For example, backups of keys could be stored in a safe or a safe deposit box. Most computer systems can automatically handle encryption if they’re properly configured.Practice Management and Electronic Health Record software may also provide an encryption feature. In each case, care should betaken to follow instructions provided by the vendor to correctly implement the encryption and secure the encryption keys.