What is the HIPAA Security Rule Transmission Security Standard?

Modified on Thu, 31 Jul at 4:55 PM


DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses the HIPAA Security Rule Transmission Security standard, a technical safeguard measure that must be implemented to prevent unauthorized access to ePHI being transmitted over an electronic communications network.

The HIPAA Security Rule Transmission Security standard is a Technical Safeguard standard. It reads:

(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. 

      (2) Implementation specifications: 

(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. 

(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. 


Transmission security measures are mechanisms to guard against unauthorized access to ePHI being transmitted over an electronic communications network.


What are Methods of Protecting ePHI Integrity?

 

According to HHS guidance, a primary method for protecting the integrity of ePHI being transmitted is through the use of network communications protocols. In general, these protocols, among other things, ensure that the data sent is the same as the data received. The guidance notes that there are other security measures that can provide integrity controls for ePHI being transmitted over an electronic communications network, such as data or message authentication codes, that HIPAA-covered entity may want to consider.

What are Encryption Mechanisms?

According to HHS guidance, encryption is a method of converting an original message of regular text into encoded or unreadable text that is eventually decrypted into plain comprehensible text. 

405(d) guidance notes that these entities should enable endpoint encryption (p. "14"): "Install encryption software on every endpoint that can connect to your information systems, especially mobile devices such as laptops. Maintain audit trails of this encryption in the event a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. For devices that cannot be encrypted or that are managed by a third-party, implement physical security controls to minimize theft or unauthorized removal. Examples include installation of anti-theft cables, locks on rooms where the devices are located, and the use of badge readers to monitor access to rooms where devices are located."

The guidance also notes that organizations can "Train your workforce to comply with organizational procedures when sending PHI via email. Prioritize end-to-end encryption of PHI when sent via email or other messaging platforms. Patients can request and receive PHI via unencrypted electronic communications. HHS has developed materials to help educate patients that unencrypted communications containing PHI could be accessed by a third-party in transit."


 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article