The Health Insurance Portability and Accountability Act (HIPAA) provides standards to improve efficiency and combat fraud in the medical industry by protecting sensitive patient health information (PHI). Provisions for safeguarding patient data were added through the introduction of the Privacy Rule in 2000 and the Security Rule in 2003.
HIPAA data encryption requirements can be a source of confusion for many covered entities because of the differences between required and addressable implementation specifications in the Security Rule. A required security measure must be implemented for HIPAA compliance, while addressable security measures give covered entities greater flexibility as to how PHI is protected.
Encryption, for example, is an addressable security measure, but this does not mean that covered entities can simply elect to not encrypt their data. Instead, they must use an alternative security measure that provides the same or greater level of protection as encryption.
In this article, we’ll highlight the HIPAA data encryption requirements and explain how a solution like WinZip® Enterprise can help healthcare organizations comply with data security standards.
What Is data at rest?
- On a laptop or computer.
- On a tablet or smartphone.
- In database servers or cloud storage.
- On portable storage devices (e.g., solid-state disk drives, USB sticks, and external hard drives).
Cybercriminals target data at rest because it’s easier to acquire. For example, data stored on a portable flash drive can be compromised if an attacker steals the drive. The flash drive could also be infected with malware or viruses that allow hackers to control the connected device or network and steal your data.
Database servers and cloud storage can hold large volumes of at-rest data, making them a valuable target for malicious attackers. This is because data at rest often holds your company’s most important and sensitive information, such as:
- Electronic protected health information (ePHI).
- Financial documents.
- Intellectual property.
- Third-party contracts.
When you encrypt data at rest, you scramble the original, readable data (known as plaintext) into ciphertext. Should an unauthorized person get hold of data in ciphertext, they would not be able to read or use it without the encryption algorithm and decryption key.
HIPAA encryption requirements for data at rest
The HIPAA Security Rule addresses protection for data at rest and data in transit. Anyone who processes or handles protected health information (PHI) must comply with Security Rule provisions. This includes, but is not limited to, the following entities:
- Medical, research, or government facilities.
- Cloud storage providers.
- Software-as-a-Service (SaaS) platforms.
- Managed service provider (MSP) and IT contractors.
The Security Rule protects PHI from theft or unauthorized exposure using technical, physical, and administrative safeguards. These safeguards set the standard by which companies can develop and implement policies and procedures to protect sensitive data.
Encryption falls under the Security Rule’s technical safeguards. The Department of Health and Human Services (HHS) notes that encryption reduces the risk that of an unauthorized user can view viewing and manipulatinge the data.
While encryption is identified as an addressable implementation specification, the wording contained in the Code of Federal Regulations (CFR) indicates that encryption is the preferred technique for PHI security. According to 45 CFR Section 164.312, covered entities and business associates must implement a mechanism to encrypt and decrypt electronic protected health information.
The HHS Office of Civil Rights (OCR), which enforces HIPAA rules, does not recommend a specific type of encryption for data at rest. However, the National Institute of Standards and Technology (NIST) recommends protecting PHI data with Advanced Encryption Standard (AES) encryption.
AES encryption is widely used to protect both data at rest and data in transit. It is a symmetric block cypher, meaning that it uses a single key to encrypt and decrypt data in blocks instead of encrypting one bit at a time.
HIPAA compliance for data at rest
To protect data at rest, you must first understand and identify the various types of sensitive data that your organization stores. The data classification process helps assess the security measures needed to protect varying levels of sensitive information.
You can classify your data by organizing it into relevant categories based on shared characteristics, such as levels of sensitivity and risks associated with each data type.
Sensitivity and risk categories commonly include the following:
Public data. The lowest classification level is public data, which means that it can be freely disclosed without negative consequences. Public data is considered low risk because it is accessible to the public and can be easily recovered.
Private data. Also known as internal-only data, this type of data should be safeguarded against public access to preserve its integrity. Private data presents a moderate risk when it is handled and stored, requiring proper access controls to prevent loss or compromise.
Confidential data. The confidential classification level means that access is typically restricted to specific teams or individuals. It is considered high risk because unauthorized exposure can have a negative impact on your organization.
Restricted data. The highest classification for data sensitivity is restricted, which has strict legal and security requirements. Restricted data is also high risk because it cannot be easily recovered if lost or compromised.
You cannot monitor and control data if you do not know where it resides. Data classification helps you identify which categories are subject to HIPAA data encryption requirements.
Knowing where PHI and other health-related information is stored ensures that the correct controls are implemented to secure the data. Encrypting data at rest allows you to store it in an unreadable format. In the event an unauthorized individual accesses the data, they would not be able to decipher it without the decryption key.
Why HIPAA compliance requires data encryption
Data encryption is an effective method for rendering PHI unusable to unauthorized individuals. If malicious actors steal unencrypted data, they can immediately read, access, and use it.
HIPAA’s Breach Notification Rule requires notification to affected individuals following a breach of unsecured PHI. The key word here is unsecured—information that is properly encrypted is not subjected to the Breach Notification Rule.
For example, the Athens Orthopedic Clinic agreed to a $1.5 million settlement to resolve multiple HIPAA violations. The investigation found that Athens Orthopedic failed to implement security measures, including data encryption, to protect PHI.
In another breach-related incident, the University of Rochester Medical Center (URMC) was assessed a $3 million resolution to settle potential HIPAA violations. The settlement stemmed from two PHI breaches involving an unencrypted flash drive and an unencrypted laptop.
While it is not possible to prevent all cyberattacks, failure to comply with HIPAA rules puts data at an increased risk of theft or loss. Only encryption provides a safe harbor from breach notification requirements.
To ensure that PHI is encrypted properly, HIPAA identifies valid encryption processes for data at rest and data in transit. Whenever data is stored on a digital medium or end user device, HIPAA data at rest encryption requirements are consistent with NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices.”
The following processes are identified best practices for encrypting PHI data at rest:
Application-level encryption (ALE). With ALE, encryption is implemented within an application, which allows you to customize the encryption process based on user roles and permissions.
Full disk encryption (FDE). FDE converts data on a disk drive into an unreadable format. Without the proper authentication key, the disk data is inaccessible even if the hard drive is removed and placed in another device.
File level encryption. Encrypting at the file level protects individual files and directors rather than the whole disk. Each item is encrypted with a unique key, adding an extra layer of security to full disk encryption.
The consequences of noncompliance
Noncompliance with HIPAA may be deliberate or unintentional, which impacts the severity of the penalties received. For example, a violation that you were either unaware of or could not have realistically avoided will have a lower penalty than a violation stemming from willful neglect.
While encryption is not specifically mandated, failure to encrypt PHI sets up your organization for a HIPAA violation. Noncompliance can result in fines as well as civil and criminal penalties.
For example, Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system, received a $1 million penalty following a data breach. The health system was fined for violation of the technical safeguards detailed in the Security Rule.
Lifespan ACE failed to encrypt mobile devices even after a risk assessment indicated that encryption was warranted. The data breach occurred after an unencrypted laptop was stolen from an employee’s vehicle. With no security mechanisms in place, the thief had access to PHI of over 20,000 patients.
Whether malicious or accidental, a breach of unsecured PHI data can impact not only your bottom line but your reputation as well. Reports indicate that 46% of organizations have suffered damage to their reputation in the aftermath of a data breach. In addition, 87% of consumers say they would take their business elsewhere if a company experienced a breach.
WinZip Enterprise ensures compliance with data encryption requirements
Safeguarding data privacy and security should be a top priority for organizations subject to HIPAA rules. WinZip Enterprise protects sensitive data at rest and in transit using FIPS 140-2 validated encryption.
With WinZip Enterprise, data is encrypted at the file level to restrict access to unauthorized users. With centralized IT control, you can easily deploy and enforce policies related to data security.
To further protect your sensitive data, WinZip Enterprise respects internal security controls set by your IT admins using Windows Information Protection (WIP). As a WIP-enlightened application, WinZip Enterprise protects data against accidental exposure on both company-owned and personal devices.