Solved

HIPAA Encryption Requirements on the Server

Posted on 2014-04-08
2
995 Views
Last Modified: 2014-04-13
Under HIPAA regulations, does the server with PHI need to be encrypted at all, completely or in part?
Thanks.
0
Comment
Question by:b1dupree
2 Comments
 
LVL 77

Assisted Solution

by:arnold
arnold earned 150 total points
ID: 39987775
There is no specific requirement for encryption.
Access to the data has to be controlled and auditable.
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html
0
 
LVL 63

Accepted Solution

by:
btan earned 350 total points
ID: 39987994
If I may share the below FAQ - in short there is no explicit mention but the need to ensure confidentiality, integrity and availability indirectly leads to encryption as best practices

What about Encryption, is it required?
No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.

What are some other best practices?
There are a few things that clients should do as it will help with their audit:

Document data management, security, training and notification plans
Client should use a Password policy for their access
Encrypt PHI data whether it’s in a database or in files on the server
Do not use public FTP. Use other methods to move files
Only use VPN access for remote access
Login retry protection in their application
Document a disaster recovery plan

also if you check out other medical ctr security rule further ascertain the requirement

The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:

Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by our workforce.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
OnPage: Incident management and secure messaging on your smartphone
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question