• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1116
  • Last Modified:

HIPAA Encryption Requirements on the Server

Under HIPAA regulations, does the server with PHI need to be encrypted at all, completely or in part?
Thanks.
0
b1dupree
Asked:
b1dupree
2 Solutions
 
arnoldCommented:
There is no specific requirement for encryption.
Access to the data has to be controlled and auditable.
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html
0
 
btanExec ConsultantCommented:
If I may share the below FAQ - in short there is no explicit mention but the need to ensure confidentiality, integrity and availability indirectly leads to encryption as best practices

What about Encryption, is it required?
No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.

What are some other best practices?
There are a few things that clients should do as it will help with their audit:

Document data management, security, training and notification plans
Client should use a Password policy for their access
Encrypt PHI data whether it’s in a database or in files on the server
Do not use public FTP. Use other methods to move files
Only use VPN access for remote access
Login retry protection in their application
Document a disaster recovery plan

also if you check out other medical ctr security rule further ascertain the requirement

The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:

Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by our workforce.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now