Health Information Compliance Alert

Published on Mon Apr 15, 2019 PDF

Question: Our office has purchased encryption software that claims to be “100-percent HIPAA compliant.” When a vendor claims its product is “HIPAA compliant,” what does this really mean?

New Jersey subscriber

Answer: Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant — this is important because health information that is properly encrypted is exempt from the HIPAA Breach Notification Rules.

Warning: But unfortunately, you cannot buy HIPAA compliance. If a third-party firm says its encryption product is “HIPAA compliant,” that company is simply telling you that the product fulfills the HIPAA encryption guidelines for stored data and data over networks.

Just because an encryption product meets HIPAA’s data encryption guidelines does not mean that you’re ultimately complying with the HIPAA Security Rule simply by using the product. In terms of encryption, the Security Rule standard states that you must “implement a mechanism to encrypt and decrypt electronic protected health information” (ePHI).

What to do: This standard is “addressable,” meaning that you must carefully analyze your organization’s operations to determine what type of encryption product is “reasonable and appropriate” for your business. You must base your analysis on a variety of factors related to your organization, such as:

• Your organization’s size, complexity and capabilities;
• Your organization’s technical infrastructure, hardware and software security capabilities;
• The costs of encryption measures; and
• The probability and criticality of potential risks to ePHI.

Bottom line: Whether your organization is a small physician office or a large healthcare system, you must document why you believe that a selected encryption product is appropriate for your operations, and maintain adherence to the compliance standards using internal checks and balances.