DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the HIPAA Security Rule Transmission Security standard, a technical safeguard measure that must be implemented to prevent unauthorized access to ePHI being transmitted over an electronic communications network.
The HIPAA Security Rule Transmission Security standard is a Technical Safeguard standard. It reads:
(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Transmission security measures are mechanisms to guard against unauthorized access to ePHI being transmitted over an electronic communications network.
What are Methods of Protecting ePHI Integrity?
According to HHS guidance, a primary method for protecting the integrity of ePHI being transmitted is through the use of network communications protocols. In general, these protocols, among other things, ensure that the data sent is the same as the data received. The guidance notes that there are other security measures that can provide integrity controls for ePHI being transmitted over an electronic communications network, such as data or message authentication codes, that HIPAA-covered entity may want to consider.
What are Encryption Mechanisms?
According to HHS guidance, encryption is a method of converting an original message of regular text into encoded or unreadable text that is eventually decrypted into plain comprehensible text.
405(d) guidance notes that these entities should enable endpoint encryption (p. "14"): "Install encryption software on every endpoint that can connect to your
information systems, especially mobile devices such as laptops. Maintain
audit trails of this encryption in the event a device is ever lost or stolen.
This simple and inexpensive precaution may prevent a complicated and
expensive breach. For devices that cannot be encrypted or that are
managed by a third-party, implement physical security controls to minimize
theft or unauthorized removal. Examples include installation of anti-theft
cables, locks on rooms where the devices are located, and the use of badge
readers to monitor access to rooms where devices are located."
The guidance also notes that organizations can "Train your workforce to comply with organizational procedures when sending PHI via email. Prioritize end-to-end encryption of PHI when sent via email or other messaging platforms. Patients can request and receive PHI via unencrypted electronic communications. HHS has developed materials to help educate patients that unencrypted communications containing PHI could be accessed by a third-party in transit."
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article