Q&A: End-to-end encryption's impact on notification requirements

Q: Is there ever a case in which, even with end-to-end encryption in place, you could still have breach notification requirements?

A: No. If the ePHI is encrypted at the level set by the National Institute of Standards and Technology, it is not unsecure PHI, so no notification is required. You do need to document the incident, because it is still a security incident and that is a requirement of the HIPAA Security Rule.

Editor’s note: Apgar is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.