Compliance
Does HIPAA require encryption? What small practices need to know
Estimated reading time: 9 minutes
When was the last time you thought about encryption? If you're like most people, it's probably been a while.
But with the U.S. Department of Health and Human Services (HHS) rolling out updates to the Health Insurance Portability and Accountability Act (HIPAA) rules, you may want to get up to speed on encryption.
That's because HHS's proposed 2024 updates to the HIPAA Security Rule include some significant changes.
If your practice relies on email, forms, or other software with limited security, you may need to review how your current tools protect client information.
Taking a few minutes to learn about encryption now could save you some major headaches down the road.
TL;DR: HIPAA may soon require encryption, rather than just being an "addressable" requirement. The proposed update would require all healthcare providers to encrypt client data both during transmission and while it's stored. Now is the time for small practices to review their tools or switch to ones like Hushmail that already meet these standards.
What is encryption?
Encryption scrambles messages so they are unreadable to anyone without a special answer key. For information stored online, in computers, or on other devices, encryption uses digital processes to scramble and unscramble messages.
There are two main types of digital encryption:
- Encryption in transit (on the move)
This scrambles information as it moves from Point A to Point B. It could apply to communications sent by email, text, or fax. - Encryption at rest (in storage)
This protects information when it's stored on devices like your computer hard drive, a server, or the cloud.
How the HIPAA encryption requirements could change
When it comes to encryption, the proposed updates to the Security Rule suggest two major changes.
Under the new proposed rules, encryption would:
- Be required (on the move and while being stored)
- Meet current cryptographic standards
"With more personal information online than ever before, healthcare organizations are becoming an attractive target for hackers. The updates to the HIPAA Security Rule are a necessary response to these changing realities."
Margaret Hales, J.D., CEO of ET&C Group LLC and The HIPAA E-Tool
Let's take a closer look at what that all means.
1. Encryption would be required
The proposed revisions would make the rules on encryption "required" rather than "addressable".
Here's the difference.
Currently, the HIPAA Security Rule allows you to assess whether encryption makes sense for your practice. If you decide that encryption isn't "reasonable and appropriate", you can choose not to use it (as long as you have a good reason, protect your client data another way, and document your choice).
If encryption becomes "required," then all Covered Entities will have to use it. There won't be a way to opt out. This means electronic protected health information (ePHI) would have to be encrypted on the move (in transit) and in storage (at rest).
2. Encryption would need to meet current cryptographic standards
The rules may also alter what counts as encryption.
Currently, the Security Rule requires covered entities to use "a mechanism" to encrypt information.
But the proposed updates instruct Covered Entities to use encryption that "meets prevailing cryptographic standards."
"These days, encrypting PHI in transit and at rest is essential for any healthcare organization."
Margaret Hales, J.D., CEO of ET&C Group LLC and The HIPAA E-Tool
At the end of the day, these updates don't just change the rule; they change what everyday compliance looks like for small healthcare practices.
What the new HIPAA encryption rules mean for small practices
Think about your clients' sensitive data. Where do you keep it? Probably in most of these places:
- Computer hard drive
- Cloud storage
- USB flash drives
- Electronic health records system (EHR)
- Forms
- Mobile devices
If the modifications to the HIPAA Security Rule become law, ePHI will need to be encrypted in all applicable locations.
This is the perfect time to take a close look at the tools you have and consider how you would adapt if the proposed updates become reality.
And even if the rules don't change, you should still consider updating your encryption. Cyberattacks on healthcare organizations are on the rise, making updated encryption more important than ever.
"Especially with AI on the scene, it's a good time for small healthcare practices to take a close look at how they're protecting client information and boost their security wherever possible."
Margaret Hales, J.D., CEO of ET&C Group LLC and The HIPAA E-Tool
Why not all "HIPAA-compliant" tools are truly secure
Since the current HIPAA rules aren't very specific about encryption, it's easy for a software provider to claim that their services are encrypted, even if they're not fully secure. There are two main reasons for this.
This might surprise you, but many providers only encrypt data when it's in motion, not in storage. That means an email, for example, would be protected on its way from you to your client, but not while it's sitting in your inbox or theirs. Emails only take a few seconds to send, but they spend years in storage. If they aren't protected there, too, they're vulnerable.
How to assess your current encryption setup
Encryption touches tools your healthcare practice uses every day. It might take time to get a handle on what you have and what might need to change. Follow these four steps to see where you stand.
If this sounds overwhelming, take a breath; you can tackle it one step at a time.
Step 1: Make a list of all the places your digital client data is stored, including:
- Desktop hard drives
- Laptop hard drives
- Cloud storage
- EHR
- Phones or tablets
- USB flash drives
👉 Why it matters: You can't protect what you don't know you have.
Step 2: Make a list of all the programs you use that send digital client data to others, including your:
- EHR
- Online fax systems
- Text messaging
- Internet-based phone services (aka "Voice Over Internet Protocol or VoIP")
👉 Why it matters: Every transmission point is a potential risk if not properly encrypted.
By the way, you just completed the first step of a HIPAA security risk assessment — another "addressable" HIPAA rule that could become a requirement soon.
If you haven't done a risk assessment this year, now is the perfect time!
Step 3: Review the lists you created and verify whether the information in those places/tools is encrypted and how it's encrypted.
This may involve conducting online research or contacting your service providers.
👉 Why it matters: Not all tools labeled "HIPAA-compliant" meet the same encryption standards.
Step 4: Review your lists to identify any gaps. Ask yourself:
- Is the information in all these places/tools encrypted?
If not, what would it take to use encryption? For example, if information on your desktop computer isn't encrypted, you might need to switch the encryption setting to "on" in your operating system (e.g., Microsoft and Apple both offer encryption). - Is the information that you send to others encrypted on the move (in transit) and in storage (at rest)?
If one of the places/tools you listed doesn't have adequate encryption, consider closing the gap by purchasing new services or switching providers.
👉 Why it matters: A small update today could prevent a big compliance issue later.
By following these steps, you'll have a clear picture of where your practice stands and a roadmap for what to improve. You may even find that some of your tools, such as email or forms, already meet the new encryption standards.
How to pick the right encryption tools
What should you look for in an encryption service provider? Encryption can be very technical, but there are some ways to tell if services will be truly secure or not.
Providers with strong encryption will mention it. Look for phrases like:
- PGP encryption or Open PGP
- Advanced encryption standards (AES)
- NIST cryptographic standards/guidelines
- End-to-end encryption
- Encryption in transit and at rest
This information may not be readily available on a website; you may need to dig a little for it. However, if you can't find it at all, or the provider refuses to answer questions about their encryption practices, move on.
🤓 Want Hushmail's technical details?
If you want a detailed look at how Hushmail's encryption works at a technical level, download our full encryption white paper.
Use Hushmail for secure email and forms
One easy place to start (you're already here, after all) is Hushmail for your email and client forms.
Our encryption meets the proposed HIPAA standards. We protect data both when it's on the move and when it's being stored. We also use Open PGP, a widely used and gold-standard encryption method.
If you want to ensure your emails and forms are fully protected (and get ahead of the HIPAA updates), switching to Hushmail is one easy way to check "email and forms" off your encryption to-do list.
We also offer some of the most affordable plans available.
Prepare today to stay compliant tomorrow
We know this can be a lot. But preparing for change today means you can take it easy down the road. If your practice is not ready for this change, numerous resources are available to help you secure your practice in a changing digital world.
You're probably already doing more right than you think. This is just your next step toward stronger protection.
Get ahead of the new HIPAA encryption rules, starting with your email and forms:
Reviewed by: Margaret Hales, J.D., CEO of ET&C Group LLC and The HIPAA E-Tool, and Steven O. Youngman, VP of Legal and Compliance, Hushmail.
