Q&A: Documenting security standards

Q. My understanding is that HIPAA doesn’t mandate use of a specific security standard. Are we required to keep documentation explaining why we chose a particular security standard? I’ve also been told that we are required to encrypt data according to National Institute of Standards and Technology (NIST) standards. Is this spelled out in the regulations?

A. HIPAA doesn’t mandate you use a specific tool or software solution. It does mandate specific security standards and implementation specifications, though. For example, the HIPAA Security Rule doesn’t mandate what information security training vendor you elect to contract with, but HIPAA does mandate that you train staff on the HIPAA security requirements. You could elect to adhere to the NIST standards, the International Organization for Standardization standards, or another recognized set of security standards as long as you make sure the chosen standards meet all of the HIPAA security requirements.

It’s a good idea to document what standards you are following and the solutions that you’ve implemented to address the requirements included in the HIPAA Security Rule. You should also document how those solutions meet the HIPAA requirements and how they protect your organization. You may have already documented what security controls or standards have been implemented as part of conducting a periodic risk analysis. The risk analysis should document what security controls you’re implemented to protect against a variety of threats and vulnerabilities that may harm your organization, and it should address technical and non-technical aspects of HIPAA.

There is no specific requirement that PHI be encrypted in accordance with the NIST standards, but it’s a good idea. If the NIST standards are followed and a device on which PHI was stored is lost or stolen or an email containing PHI is intercepted, the incident would not be considered a breach of unsecure PHI. This represents a safe harbor when it comes to breach notification.

The HIPAA Security Rule lists encryption as an addressable implementation specification, which means that you must do it or implement a comparable control. However, OCR has been pretty vocal when it comes to encryption. If PHI will be included in an email or stored on the hard or flash drive of a mobile device, OCR is enforcing the encryption provisions as required versus addressable. This has been stated at conferences OCR has participated in, and it’s addressed in the preamble of the Omnibus Rule and the HIPAA Clinical Laboratory Improvements and Amendments Rule.