Solved

HIPAA Encryption Requirements on the Server

Posted on 2014-04-08
2
948 Views
Last Modified: 2014-04-13
Under HIPAA regulations, does the server with PHI need to be encrypted at all, completely or in part?
Thanks.
0
Comment
Question by:b1dupree
2 Comments
 
LVL 76

Assisted Solution

by:arnold
arnold earned 150 total points
ID: 39987775
There is no specific requirement for encryption.
Access to the data has to be controlled and auditable.
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html
0
 
LVL 61

Accepted Solution

by:
btan earned 350 total points
ID: 39987994
If I may share the below FAQ - in short there is no explicit mention but the need to ensure confidentiality, integrity and availability indirectly leads to encryption as best practices

What about Encryption, is it required?
No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.

What are some other best practices?
There are a few things that clients should do as it will help with their audit:

Document data management, security, training and notification plans
Client should use a Password policy for their access
Encrypt PHI data whether it’s in a database or in files on the server
Do not use public FTP. Use other methods to move files
Only use VPN access for remote access
Login retry protection in their application
Document a disaster recovery plan

also if you check out other medical ctr security rule further ascertain the requirement

The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:

Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by our workforce.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now