While the Department of Health and Human Services (HHS) established many requirements for health providers under HIPAA, certain measures are rather unclear regarding how they are to be implemented. Encryption is one of those practices that is not necessarily required, but strongly encouraged. For instance, if a provider chooses not to use encryption as a means of protection, they must provide evidence that encryption is not “reasonable and appropriate,” through a document on how that decision was reached and then provide an alternative solution or further evidence on why electronic Protected Health Information (PHI) is safe without those particular measures. However, there should not be a reason to avoid encryption. Instead, encryption acts as a “safe harbor.” If PHI is lost, distributed to the wrong individual, or stolen, it isn’t considered a breach if the info is encrypted.
On the other hand, encrypting an entire network is not always necessary. Derrick Wlodarz, president of FireLogic, Inc., advises to first think about “every single potential place where PHI is flowing or taking place [and] encrypt that.” That can include servers, computers, email, medical devices, faxing and texting. However, the price can be high if one decides to move beyond free encryption – potentially $800 to $1,000 for a “tech-heavy” office. Regardless of price, however, it is better to be safe than sorry when it comes to protecting PHI under HIPA.