On June 18, 2018, the U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) announced an Administrative Law Judge’s (ALJ) ruling that OCR properly imposed penalties against The University of Texas MD Anderson Cancer Center (MD Anderson) for failing to encrypt laptops and USB thumb drives, in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. One reason this decision is significant is that it may resolve an unsettled question: Is the use of encryption mandatory in the Security Rule? HHS’s short answer has been “No,” but based on the ALJ opinion, its long answer equates to “Yes” – at least when covered entities and business associates decide that encryption is necessary.

By way of background, whether encryption is required has long been unclear. For example, on the HHS website in response to the frequently asked question “Is the use of encryption mandatory in the Security Rule?,” HHS first states “No,” but then qualifies this answer: “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.”