Is mandatory encryption in the HIPAA Security Rule?

Answer:

No. The final HIPAA Security Rule made the use of encryption an addressable implementation specification. See 45 CFR §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii). Covered entities use open networks such as the Internet and e-mail systems differently, and no single interoperable encryption solution for communicating over open networks exists. Setting a single encryption standard could have placed an unfair financial and technical burden on some covered entities. The encryption implementation specification is addressable, and must therefore be implemented if, after an assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its environment. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate, or if the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure


Home | About Us | Contact Us | Sitemap | Resources | Covered Entity | Business Associate
Individuals | Product Certification | HIPAA Compliance FAQ | HIPAA Compliance Software | HIPAA Security Policies | HIPAA Privacy Policies
HIPAA Business Continuity Plan | HIPAA Security Risk Analysis Template | HIPAA Audit Templates
Copyright © 2007-09 Supremus Group LLC Developed and Designed by Des Moines Web Design Company
This site is best viewed using Internet Explorer 5.0/higher or Netscape Navigator 7.0/higher at 1024x768 resolution for optimum performance