POLICY # 52
ENCRYPTION
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement a mechanism to encrypt EPHI whenever deemed
Policy Summary:
When risk analysis indicates it is necessary, appropriate encryption must
be used to protect the confidentiality, integrity and availability of
Sindecuse Health Center (SHC) data transmitted over electronic
communications networks. SHC must protect all cryptographic keys
against modification and destruction; secret and private keys must be
protected against unauthorized disclosure. SHC must have a formal,
documented process for managing the cryptographic keys used to encrypt
SHC data transmitted over electronic communications networks.
Purpose:
This policy reflects SHC’s commitment to appropriately use encryption
to protect the confidentiality, integrity and availability of SHC data
transmitted over electronic communications networks.
Policy:
1. When risk analysis indicates it is necessary, appropriate encryption
must be used to protect the confidentiality, integrity and availability of
SHC data transmitted over electronic communications networks. The
risk analysis must also be used to determine the type and quality of the
encryption algorithm and the length of cryptographic keys.
appropriate.”
2. At a minimum, SHC’s risk analysis must consider the following
factors when determining whether or not encryption must be used when
sending specific data over an electronic communications network:





The sensitivity of the data
The risks to the data if they are not encrypted
The expected impact to SHC functionality and work flow if the
data are encrypted
Alternative methods available to protect the confidentiality,
integrity and availability of the data
The ability of the recipient of the data to decrypt the data
received
3. Encryption must always be used when highly sensitive SHC data such
as passwords are transmitted over electronic communications networks.
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ENCRYPTION
4. All encryption used to protect the confidentiality, integrity and
availability of SHC data transmitted over an electronic communications
network must be approved by SHC’s information security office.
5. SHC must have a formal, documented process for managing the
cryptographic keys used to encrypt SHC data transmitted over electronic
communications networks. Its secret and private keys must be protected
against unauthorized disclosure. At a minimum, the cryptographic key
management process must include:








A procedure for generating keys for different cryptographic
systems
A procedure for distributing keys to intended users and then
activating them
A procedure for enabling authorized users to access stored keys
A procedure for changing and updating keys
A procedure for revoking keys
A procedure for recovering keys that are lost or corrupted
A procedure for archiving keys
Appropriate logging and auditing of cryptographic key
management
6. When possible, SHC cryptographic keys must have defined activation
and deactivation dates.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Technical Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Transmission
Security Standard
Regulatory
Reference:
45 CFR 164.312(e)(2)(ii)
Definitions:
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ENCRYPTION
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Encryption means the conversion of data into secret, unreadable code.
To read encrypted data, a person must have access to a secret key or
password that enables them to decrypt (decode) the data.
Cryptographic key means a variable value that is applied using an
algorithm to data to produce encrypted text, or to decrypt encrypted text.
The length of the key is a factor in considering how difficult it will be to
decrypt the data.
Electronic communications network means any series of nodes
interconnected by communication paths that is outside the [Hospital
Name] network (e.g., the Internet). Such networks may interconnect with
other networks or contain sub networks.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Transmission Security
Integrity Controls
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.