Solved

HIPAA Encryption Requirements on the Server

Posted on 2014-04-08
2
984 Views
Last Modified: 2014-04-13
Under HIPAA regulations, does the server with PHI need to be encrypted at all, completely or in part?
Thanks.
0
Comment
Question by:b1dupree
2 Comments
 
LVL 77

Assisted Solution

by:arnold
arnold earned 150 total points
ID: 39987775
There is no specific requirement for encryption.
Access to the data has to be controlled and auditable.
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html
0
 
LVL 62

Accepted Solution

by:
btan earned 350 total points
ID: 39987994
If I may share the below FAQ - in short there is no explicit mention but the need to ensure confidentiality, integrity and availability indirectly leads to encryption as best practices

What about Encryption, is it required?
No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.

What are some other best practices?
There are a few things that clients should do as it will help with their audit:

Document data management, security, training and notification plans
Client should use a Password policy for their access
Encrypt PHI data whether it’s in a database or in files on the server
Do not use public FTP. Use other methods to move files
Only use VPN access for remote access
Login retry protection in their application
Document a disaster recovery plan

also if you check out other medical ctr security rule further ascertain the requirement

The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:

Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by our workforce.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now