Standard for HIPAA Encryption
Purpose
Ohio University will implement and utilize appropriate encryption technologies to maintain the security of electronic Protected Health Information (ePHI).
Scope
This standard will apply to all Ohio University operating units that store, process, or transmit protected health information, and all persons associated with Ohio University, including students, workforce members, and third-party entities.
Standard
Data at rest:
Electronic records must be stored within an encrypted file system or application approved by the Information Security Office (ISO) through the process outlined within the information security standard: Third-Party Vendor Management Standard.
- Data in transit:
- If ePHI is being transmitted over an electronic communications network, reasonable and appropriate transmission security measures must be implemented to adequately address the risk to the ePHI; and
- Encryption and Decryption:
- All transmissions of ePHI must utilize an ISO-approved encryption mechanism as outlined within the Information Security Standard: Acceptable Encryption Standard.
- Other transmission security measures may be investigated and approved by ISO and added as options. If an OHIO workforce member would like to use a security method other than encryption, they must first contact the Information Security Office and then receive written approval from the HIPAA Security Officer.
Electronic Messaging:
Electronic messages, such as email, containing ePHI, must be encrypted and only transmitted using an ISO approved secured messaging systems.
Portable Media Device Security:
Any portable computing device such as a laptop, tablet, smartphone or portable media such as USB flash drives, memory sticks, DVDs, or CDs must be encrypted and adhere to the information security standard: Mobile Computing and Storage Device Standard which outlines the technical and physical safeguards to implement in order to ensure that the data stored on the device is inaccessible to unauthorized users.
Definitions
- Protected Health Information (PHI): PHI means individually identifiable health information created or received by (or on behalf of) a health care provider, health care clearinghouse, or health plan.
- Encryption: Process by which information is encoded, preventing unauthorized individuals from accessing the information.
References
- 45C.F.R. § 164.310 (c), 164.310(d)(1), 164.312(e)(1)
- Policy 03.001 General Policy on Health Insurance Portability and Accountability Act (HIPAA) Compliance
- Ohio University Provider HIPAA Privacy Standards and Procedures
- Ohio University Health Plan HIPAA Privacy Standards and Procedures
- Policy 91.005 Information Security
- Policy 93.001 Data Classification
- Information Security Standard: Third-Party Vendor Management Standard
- Information Security Standard: Acceptable Encryption Standard
- Information Security Standard: Mobile Computing and Storage Device Standard
- Information Security
- Office of Information Technology Guide to Protected Health Information
Governance
This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.
Status: Approved
Effective: September 24, 2019