§164.312(e)(2)(ii): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Audit Inquiry

Does the entity have policies and procedures in place to implement an encryption mechanism to encrypt ePHI whenever deemed appropriate?

Does the entity have encryption mechanism to encrypt ePHI whenever deemed?

Obtain and review policies and procedures regarding the encryption of electronically transmitted ePHI. Evaluate the content relative to the specified criteria to determine that the implementation and use of encryption appropriately secures electronically transmitted ePHI.

Elements to review may include but are not limited to:
• Type(s) and documentation of encryption technology used to secure electronically transmitted ePHI
• How the confidential processes or keys used for encryption are managed and protected
• How access to modify or create keys is restricted to appropriate personnel
• Identify when it is appropriate to encrypt ePHI

Obtain and review documentation demonstrating the encrypted mechanism is implemented to encrypt ePHI. Evaluate and determine whether encrypted mechanism has the capability to encrypt ePHI when it is deemed as appropriate.

Obtain and review documentation demonstrating that electronically transmitted ePHI is encrypted. Evaluate and determine if ePHI encrypted is appropriate and in accordance with related policies and procedures.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.