Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

HIPAA Encryption Requirements on the Server

Posted on 2014-04-08
2
Medium Priority
?
1,075 Views
Last Modified: 2014-04-13
Under HIPAA regulations, does the server with PHI need to be encrypted at all, completely or in part?
Thanks.
0
Comment
Question by:b1dupree
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 80

Assisted Solution

by:arnold
arnold earned 450 total points
ID: 39987775
There is no specific requirement for encryption.
Access to the data has to be controlled and auditable.
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html
0
 
LVL 65

Accepted Solution

by:
btan earned 1050 total points
ID: 39987994
If I may share the below FAQ - in short there is no explicit mention but the need to ensure confidentiality, integrity and availability indirectly leads to encryption as best practices

What about Encryption, is it required?
No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.

What are some other best practices?
There are a few things that clients should do as it will help with their audit:

Document data management, security, training and notification plans
Client should use a Password policy for their access
Encrypt PHI data whether it’s in a database or in files on the server
Do not use public FTP. Use other methods to move files
Only use VPN access for remote access
Login retry protection in their application
Document a disaster recovery plan

also if you check out other medical ctr security rule further ascertain the requirement

The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:

Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by our workforce.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question