The HIPAA encryption requirements have, for some, been a source of confusion. The reason for this is the technical safeguards relating to the encryption of Protected Health Information (PHI) are defined as "addressable" requirements.
Furthermore, the HIPAA encryption requirements for transmission security state that covered entities should "implement a mechanism to encrypt PHI whenever deemed appropriate". This instruction is considerably vague and open to interpretation - hence the confusion.
https://www.netsec.news/hipaa-encryption-requirements
The term "addressable" does not mean the safeguard is something that can be put off until another day. It actually means that the safeguard should be implemented, an alternative to the safeguard that produces the same results should be implemented, or a covered entity has to document (with a justifiable reason) why no course of action has been taken in respect of this safeguard.
The phrase "whenever deemed appropriate" could, for example, be applied to covered entities that exchange communications via an internal server protected by a firewall. In this scenario, there should be no risk to the integrity of PHI from an outside source when confidential patient data is at rest or in transit.
Once a communication containing PHI goes beyond a covered entity´s firewall, encryption becomes an addressable safeguard that must be dealt with. This applies to any form electronic communication - email, SMS, instant message, etc. - except in the case where a patient has given their express, written permission for their PHI to be communicated without encryption.
×