Q&A: Encryption requirements with open and closed networks

Q: Does HIPAA require encryption when sharing data over the internet? Should data be encrypted when it is being emailed to someone at the same facility?

A. The HIPAA Security Rule lists encryption as addressable. That means you need to encrypt transmitted data that is sent over an open network (the internet) or you need to implement a security control equivalent to encryption and have solid documented justification as to why you aren’t encrypting the data. However, since 2013, OCR has stated that you must encrypt such data. In other words, while encryption is addressable in the rule, OCR is enforcing the rule as if encryption was required. At the Privacy and Security Forum in Washington, D.C., in fall 2018, the director of OCR indicated one of the takeaways for the audience was “encrypt, encrypt, encrypt!”

If you are sending PHI via email within a closed network, such as to coworkers, the PHI does not need to be encrypted as long as you have assurances the PHI is not being sent over an open network. As an example, if you send an email containing PHI through your corporate intranet to someone within your organization, you don’t need to encrypt the email. On the other hand, if you send that same email through a method that is transmitted outside the intranet (such as via the free version of Gmail), it must be encrypted even if it is being sent to someone else in your organization. Also, if you are sending an email to another practice located in the same facility or building, you may need to encrypt the email because it may be traveling between different networks or email accounts. As an example, if you work for ABC practice, which has its own Office 365 subscription, and you are sending PHI to XYZ practice, which has a separate Office 365 subscription, you need to encrypt the PHI because it will be sent over an open network or the internet.