Educause Security Discussion mailing list archives
Re: HIPAA Requires Encryption?
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Thu, 26 Aug 2010 16:07:25 -0500
Like so many federal requirements, HIPAA/HITECH does not specifically MANDATE encryption. However, the DHHS Pre-Audit checklist that goes to organizations DHHS is preparing to perform compliance audits against does specifically ask for a copy of your encryption policy/procedure. The questions I would ask in this case: "If you do not use encryption, what compensating controls do you have in place? Do these controls provide an approximate equivalent level of protection?". If the data is encrypted and it is lost, you are not under the same reporting obligations as if you would be if it were lost unencrypted. In this era of fiscal deficit, I would expect the feds to maximize penalties every chance they get to increase their overall revenue stream. Just my two sous' worth... Paul ======================================== Paul L. Kendall, CGEIT, CHP, CHSS, CHS-III, CISM, CISSP, CSSLP, DHS-CVI, PCI QSA PCI Qualified Security Assessor Certified HIPAA Professional Certified HIPAA Security Specialist Senior Security Consultant Accudata Systems, Inc. 15305 Dallas Parkway, Suite 300 Dallas, TX 75001 (817) 496-6450 Fort Worth Office (877) 832-6013 Fort Worth FAX (800) 246-4908 Corporate Office (281) 897-5001 Corporate FAX (713) 446-5259 Cell http//www.accudatasystems.com From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Link Sent: Thursday, August 26, 2010 3:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HIPAA Requires Encryption? Very recently, I inherited the job of focusing information security efforts. In the process of upgrade of a SQL server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the server and the backup media. It does come at some additional cost, though it's manageable. Before proceeding, however, I thought I'd ask if anyone has suggestions. Thanks, --Matthew Link. Director, User Services Information Services, UCM 660-543-8063 link () ucmo edu
Current thread:
- HIPAA Requires Encryption? Matthew Link (Aug 26)
- Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Plesco, Todd (Aug 26)
- Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
- Re: HIPAA Requires Encryption? SCHALIP, MICHAEL (Aug 26)
- Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
- Re: HIPAA Requires Encryption? Faith Mcgrath (Aug 27)
- Re: HIPAA Requires Encryption? SCHALIP, MICHAEL (Aug 26)