Does HIPAA Require Encryption?


In 2012-2013, the University of Texas MD Anderson Cancer Center had three data breaches involving unencrypted devices. An unencrypted laptop had been stolen from an employee’s home, and they had lost two unencrypted USB thumb drives. These incidents compromised the electronic protected health information (ePHI) of 33,500 individuals. Upon investigation, the Office for Civil Rights (OCR) found that MD Anderson had had encryption policies and had found in their risk analysis that their unencrypted devices created a high level of risk. Yet, MD Anderson was slow to implement a solution and failed to encrypt their devices between 2011 and 2013. Taken together, their negligent lack of action led to three data breaches and a $4.3 million fine from the OCR. Nevertheless, MD Anderson contended that HIPAA did not require them to encrypt their devices.

Why Do I Need Data Encryption?

Unencrypted portable devices are a major security risk. If they fall into the wrong hands, your data will be defenseless. That’s why the HIPAA Security Rule requires you to encrypt your ePHI. MD Anderson and many other organizations fail to see the difference between required and addressable rules. Encryption is addressable. However, addressable doesn’t mean optional. It means you must implement the rule or adopt a similar solution. If your organization has a justifiable reason for why you can’t use encryption, you must find a similar method of securing your ePHI.

3 Steps to Implementing Encryption

Start implementing encryption in your organization by taking these three steps:

  1. Conduct a risk analysis. You can’t protect what you don’t know is at risk. Risk analysis helps you discover any threats and vulnerabilities that may compromise the security of your ePHI. In their risk analysis, MD Anderson found its areas of high risk; the problem was that they failed to act upon their findings.
  2. Take inventory of your assets that store or transmit ePHI. MD Anderson failed to encrypt their devices over a three-year period. It’s vital that you don’t overlook any devices, including employees’ personal devices that they use to access ePHI. You may need to encrypt these devices as well.
  3. Create encryption policies and procedures. Put the encryption process on paper and then implement it. MD Anderson took a lax approach to following their own policies, a dangerous practice when it comes time for an OCR audit. Additionally, you should train your staff on how to securely use devices and systems containing ePHI.

Encryption can sound like a daunting and time-consuming task. However, you can often encrypt devices using tools already built into them. Touch base with your IT team about the current state of data encryption and take steps to improve device security. To help you create a culture of security compliance, HIPAAtrek helps you keep track of policies and procedures, as well as staff training and security reminders. Request a demo or contact us to learn more.

Read more: How to Safely Manage Your Mobile Media

Check out our Breach Notification Letter Template!

Our free template makes it easy to create a compliant breach notification.

Breach Notification Letter Template

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »