Is Encryption Optional under HIPAA?

The recently announced proposed updates to the HIPAA Security Rule have garnered a lot of attention in the industry with many comparing the current iteration of the Security Rule to those proposed updates. One thing commenters point out is that the proposed updates do away with "addressable" implementation specifications, and take this to mean that encryption will no longer "optional."

But is encryption "optional" under the current Security Rule?

There is a lot of confusion around what the current iteration of the Security Rule requires. The Security Rule is made up of a standards and implementation specifications. Think of a standard as like an overarching policy statement, and an implementation specification as the specific things that need to be done to implement that policy. For example, the Security Rule has the standard, "Security management process," which requires a covered entity or business associate to "implement policies and procedures to prevent, detect, contain, and correct security violations." That standard has four (4) implementation specifications--risk analysis, risk management plan, sanction policy, and information system activity review--that define how to implement or meet that standard.

Implementation specifications are either "required" or "addressable." When an implementation specification is required, then a covered entity or business associate must implement it without question. When an implementation specification is addressable, a covered entity or business associate must implement it unless the covered entity or business associate determines that that the implementation specification is not reasonable and appropriate, and must document why as well as implement an equivalent alternative measure if doing so is reasonable and appropriate.

In other words, the default position is an addressable implementation specification is required unless the covered entity or business associate demonstrates why it should not implement it, while also implementing an alternative measure.

Currently, encryption is an addressable implementation specification, leading some to believe that HIPAA does not "require" encryption. This conclusion ignores the default position for addressable implementation specifications.