Q&A: Documenting the appropriate level of data encryption

Q. We see many assertions that encryption at the right level meets the National Institute of Standards and Technology (NIST)/HIPAA safe harbor provision with no explanation of what is necessary to prove the breached electronic protected health information (PHI) was actually encrypted at the moment of breach. How can a covered entity prove the PHI was actually encrypted at the time of the breach?

A. Covered entities and business associates need to maintain documentation that devices, media, and transmissions of PHI are encrypted at a level set by NIST. This documentation could be a list of the software or vendors used to secure PHI at rest (stored PHI) and in transmission, along with periodic reviews that document the encryption standard used is at the level set by NIST and encryption is turned on. If PHI is stored on an unencrypted server and the server is hacked or a ransomware attack occurs, the safe harbor standard can’t be demonstrated.

Make sure you can document that any lost or stolen mobile devices and portable media were encrypted at the time of loss or theft. This means you need to be able to demonstrate that the devices were locked down, strong passwords or passcodes were in place, and no users have administrator or local administrator rights on mobile devices. That demonstrates the end user cannot turn off encryption and the end user has enabled a strong password or passcode. As far as demonstrating portable media has been encrypted, you need to be able to prove tools have been implemented to prevent the use of unencrypted portable media, and/or you need to be able to demonstrate that PHI cannot be downloaded to portable media. If you can’t prove the device or media was encrypted at the time of loss or theft, you can’t assume the safe harbor has been met. In that case, you need to conduct the four-factor risk assessment as required by the HIPAA Breach Notification Rule.

Editor's note: This question was answer by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a Briefings on HIPAA editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.