Appendix Q 479
ii. Encryption and Decryption
“Implement a mechanism to encrypt and decrypt electronic protected health information.”
49
As a form of security, encryption provides confidentiality of information. This
became an “addressable” requirement because it was questioned how valuable and
feasible it was to encrypt data. The cost of encrypting information and the ongoing
maintenance and support can be very expensive for small entities and even some
larger entities. Making this specification “addressable” gave entities the option to
encrypt data based on their specific risks.
1. Has the client’s risk analysis addressed the issue of data encryption?
Guidance: The client’s risk analysis should have considered the issue of
encryption. Based on the risk analysis, the client should be able to articu-
late why encryption is or is not being used.
Client Response:
2. STANDARD — AUDIT CONTROLS (REQUIRED)
“Implement hardware, software, and/or procedural mechanisms that record and exam-
ine activity in information systems that contain or use electronic protected health
information.”
50
This standard essentially requires entities to evaluate the systems currently in use
and determine if they can record and examine activities of individuals accessing
electronic protected health information in the systems. Note that the standard spe-
cifically mentions hardware and software. Compliance with this standard may require
new systems or custom coding of existing systems. Audit controls, by their nature,
are flexible in nature and depend on the level of risk. The comments and subsequent
responses as documented in the Federal Register clearly state that the audit controls
should be based on the entity’s own risk analysis. This specification should be
analyzed in conjunction with the related Privacy specifications, which require entities
to account for disclosures of protected health information to individuals upon
request.
1. As part of the risk analysis, has the client reviewed these hardware and
software mechanisms for recording activity?
Guidance: This requirement is based on the risk analysis. When determin-
ing what is to be reviewed, the client should consider current staffing and
AU1706_book.fm Page 479 Tuesday, August 17, 2004 11:02 AM