What is encryption and is it required by the Security Rule?
Encryption is a means of taking a plain text message and converting it into nonsensical or otherwise unreadable group of symbols. Encryption requires the recipient to “unlock” or translate the message and convert it back into plain text. Without some form of encryption, email can be easily intercepted and read by someone other than the intended recipient. Encryption decreases the probability of an unintended recipient from reading an email that contains sensitive or confidential information. Encryption is an addressable implementation and therefore is not technically required by the HIPAA Security Rule. (See CFR ยง 164.312(a)(2)(iv).) However, addressable implementations must be met in some reasonable and appropriate manner and must be documented. Finally, if the standard is being met in an alternative method, the entity must document how the standard is met by that alternative method.
