DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule Transmission Security standard is a Technical Safeguard standard. It reads:
(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Transmission security measures are mechanisms to guard against unauthorized access to ePHI being transmitted over an electronic communications network.
What Kinds of Transmissions are Covered by the Security Rule Transmission Security Standard?
Transmissions covered by the rule include switched, point-to-point connections, dial-up lines, and transmissions made over the Internet.
Covered entities and business associates must take measures to guard against unauthorized access to and protect the integrity and confidentiality of ePHI that is transmitted over an electronic communications network. Such measures will ensure ePHI has not been modified without authorization, or corrupted, without detection during transmission.
Measures to Ensure ePHI is Not Improperly Modified Without Detection Until Disposed of include:
Ensuring that wired and wireless transmission of ePHI will utilize secure protocols (encryption).
Requiring that all remote Access to ePHI be by secure means only.
Prohibiting the will prohibit sending of unprotected ePHI by unencrypted email, UNLESS medical records containing the ePHI have been requested by a patient who specifically requires them to be delivered in an unencrypted email. The best practice here is to warn the patient that this is not a secure method of communication, and to obtain the patient’s acknowledgment and consent) in writing, prior to sending.
Consider the mandating of Virtual Private Network (VPN) for all remote users.
Ensuring that employees redact ePHI from the body of received email before replying to it.
Organizations should also implement a mechanism(s) to encrypt ePHI whenever deemed appropriate. Encryption measures to consider include:
Implementing encryption measures to encrypt data at rest.
Implementing encryption measures to encrypt data in motion.
Implementing encryption measures for files, data, and devices containing ePHI.
Implementing end-to-end encryption for external emails containing ePHI.
Implementing a mechanism to encrypt electronic protected health information in any other situations whenever it is deemed appropriate. In such situations, data at rest and data in motion should be encrypted. Full disc encryption should be implemented. Files, data, and devices containing ePHI should be encrypted. Email encryption should be end-to-end.
What Level of Protection is Required for Transmissions Covered Under the Transmission Security Standard?
When electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article