§164.312(a)(2)(iv): Implement a mechanism to encrypt and decrypt electronic protected health information.
Audit Inquiry
Does the entity have policies and procedures in place to encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI?
Does the entity encrypt and decrypt ePHI including processes regarding the use and management of the confidential process or key used to encrypt and decrypt ePHI?
Obtain and review the policies and procedures regarding the encryption and decryption of ePHI. Evaluate the content relative to the specified criteria to determine that the implementation and use of encryption appropriately protects ePHI.
Elements to review may include but are not limited to:
• Type(s) and documentation of encryption technology used for devices and media that contain or have access to ePHI
• How the confidential processes or keys used for encryption and decryption are managed and protected
• How access to modify or create keys is restricted to appropriate personnel
Obtain and review documentation demonstrating ePHI being encrypted and decrypted. Evaluate and determine if ePHI is encrypted and decrypted in accordance with related policies and procedures.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable