Encrypting Protected Health Information for HIPAA Compliance

Share this content:
Addressable doesn't mean optional: Having an implementation plan can be helpful in case of an audit.
Addressable doesn't mean optional: Having an implementation plan can be helpful in case of an audit.

The Department of Health and Human Services (HHS) doesn't offer providers an exact prescription on how to comply with much of HIPAA. Certain parts of the legislation are optional, others mandatory, and some need to be addressed.

Encryption falls under this grayer addressable realm. HIPAA doesn't require providers to encrypt devices or electronic information, but one could say it is strongly encouraged.

If you determine it isn't “reasonable and appropriate,” you have to first document why you reached that decision and then either implement an alternative solution or document why your electronic protected health information (PHI) is safe without encryption or an alternative.

Encryption, however, acts as a safe harbor. If you lose PHI, send it to the wrong person, or have it stolen, it isn't considered a breach if it is encrypted. For this reason, many experts highly recommend encryption, including Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont.

“Don't be afraid of encryption,” he said. “It used to be people were scared it would fry their computers or wouldn't work. There are all kinds of options for encryption that they can take advantage of. It works well.”

Where to start

If you are wondering what needs to be encrypted in your office, Derrick Wlodarz, president of FireLogic, Inc., in Park Ridge, Illinois, has some advice: “What is every single potential place where PHI is flowing or taking place? Encrypt that,” he recommends.

Track the places where information is being passed. You may be using a cloud-based, protected electronic medical record, but do you send information via e-mail? Do you text or send things in the office on desktops or laptops? If so, you need to consider how all of these processes and devices can be encrypted.


This is the one that is most easily overlooked, Wlodarz said. The good news is it's also easily remedied. A number of vendors now offer end-to-end email encryption services.

Wlodarz said his organization considers Office 365 the “gold standard” in this space. With just a few tweaks, emails are encrypted to HIPAA compliance.

A drawback to e-mail encryption is cost, but prices are coming down as more options hit the market, Sheldon-Dean said. And, after paying an upfront cost, it is self-running and simple to use.

Page 1 of 2

Related Resources

You must be a registered member of Cancer Therapy Advisor to post a comment.

Sign Up for Free e-newsletters

Regimen and Drug Listings


Bone Cancer Regimens Drugs
Brain Cancer Regimens Drugs
Breast Cancer Regimens Drugs
Endocrine Cancer Regimens Drugs
Gastrointestinal Cancer Regimens Drugs
Gynecologic Cancer Regimens Drugs
Head and Neck Cancer Regimens Drugs
Hematologic Cancer Regimens Drugs
Lung Cancer Regimens Drugs
Other Cancers Regimens
Prostate Cancer Regimens Drugs
Rare Cancers Regimens
Renal Cell Carcinoma Regimens Drugs
Skin Cancer Regimens Drugs
Urologic Cancers Regimens Drugs