Skip to site content

Indian Health Service The Federal Health Program for American Indians and Alaska Natives

Health Insurance Portability and Accountability Act (HIPAA)

Use of Encryption

When implementing controls under HIPAA covered entities must in general "(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. (c) Standards. A covered entity must comply with the standards as provided in this section and in § 164.308, § 164.310, § 164.312, § 164.314, and § 164.316 with respect to all electronic protected health information." [§ 164.306 Security standards: General rules.]

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. [§ 164.312 Technical safeguards.]
Under this standard is the Encryption Implementation Specification (IS). While this is an Addressable IS the standard requires some technical security measure to guard against the unauthorized access of EPHI. Typically the easiest and most economical technical measure for accomplishing this is via cryptographic methods. So, while encryption is addressable and there is some flexibility in implementing, it is likely the best solution for this standard. In addition, under this standard is the Addressable IS to protect the integrity of EPHI. Just as, or sometimes more, important than the confidentiality of EPHI is its integrity. Again, typically the easiest and most economical technical measure for accomplishing this is via cryptographic methods.

(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

EPHI has been categorized as High according to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems. As such Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline is used to help determine the types of controls required. Annex 3 delineates the following security controls for transmission confidentiality and integrity.

SC - 9: The information system protects the confidentiality of transmitted information. The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless protected by alternative physical measures (e.g., protective distribution systems).

SC - 8: The information system protects the integrity of transmitted information. The organization employs cryptographic mechanisms to ensure recognition of changes to information during transmission unless otherwise protected by alternative physical measures (e.g., protective distribution systems).

NIST Special Publications (SP) are guides and not mandatory. However, SP 800-53 is being written to a FIPS Publication. The Federal Information Security Management Act 2002 (FISMA) made all FIPS Publications mandatory without an option for waivers. This means that the controls delineated in the final FIPS Pub 200 will be mandatory for all federal entities. It is likely that the controls above, SC 8 and 9, will be part of the FIPS Pub 200 and be mandatory.

Tribal requirements for complying with HIPAA:
Click this link for the following letter from Dr. Grimm that discusses the issue of Tribally run health facilities complying with HIPAA. [PDF-57KB]
While the May 2003 letter at times addresses specifically the Privacy Rule the implication is for the requirements under HIPAA to include the later finalized Security Rule.

§ 164.312 Technical safeguards.
A covered entity must, in accordance with § 164.306:
(a)(1) Standard: Access control.
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification
(Required). Assign a unique name and/or number for identifying and tracking user identity.
(ii) Emergency access procedure
(Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
(iii) Automatic logoff (Addressable).
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption
(Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
(2) Implementation specification:
Mechanism to authenticate electronic protected health information
(Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable).
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable).
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
(c) Standards. A covered entity must comply with the standards as provided in this section and in § 164.308, § 164.310, § 164.312, § 164.314, and § 164.316 with respect to all electronic protected health information.
(d) Implementation specifications.
In this subpart:
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word ''Required'' appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word ''Addressable'' appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications.
(1) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity must-
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
(ii) As applicable to the entity-
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate-
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.

CPU: 78ms Clock: 0s