Posted by: DrJosephKim
cms, encryption, HIPAA
Over the years, we have seen many people talk about “HIPAA-compliant” communication platforms that provide a high level of enterprise security and encryption. These discussions have often led to the question, “What are HIPAA-specific encryption requirements?” Also, “Is Skype HIPAA-compliant?”
All of these questions lead to further confusion because the HIPAA Privacy Rule (2003 Final Rule) does NOT specify encryption requirements under Section 164.312 technical safeguards. Also, if you read the comments that were left on page 8357, they state that “specification of an algorithm strength or specific products would be inappropriate…. any minimum specification would soon be outmoded…We maintain that it is much more appropriate for this final rule to state a general requirement for encryption protection when necessary and depend on covered entities to specify technical details, such as algorithm types and strength.”
So, let’s take a real-world example: Is it HIPAA-compliant to use Skype for video conferencing if a physician wants to treat a patient?
Skype uses the AES (Advanced Encryption Standard*), also known as Rijndael, which is used by the US Government to protect sensitive information, and Skype uses the maximum 256-bit encryption. User public keys are certified by the Skype server when logging in, using 1536 or 2048-bit RSA certificates.
Based on modern-day encryption standards, that seems fairly robust. Of course, we also have to consider the security of the wireless or wired network since an open, unencrypted network could compromise the personal health information (PHI) that is shared during that call. The same is true if you’re planning on using Apple FaceTime (which also uses encryption technology).
Finally, we can’t forget that the biggest payer in the United States is CMS (Centers for Medicare & Medicaid Services). CMS has an Internet Security Policy and even has an updated “CMS System Security and e-Authentication Assurance Levels by Information Type” document. Although CMS is a single organization, others are likely to follow its lead. So, if you’re thinking about encryption requirements around HIPAA, see what CMS is doing in this space.