Description
Unencrypted ePHI on lost or stolen devices is the single most common source of large HIPAA breaches. Documented encryption standards are foundational to any defensible security program.
The HIPAA Encryption Standards Policy Template establishes your organization’s encryption requirements and technical controls for protecting ePHI across your environment. It is aligned to the Transmission Security and Device and Media Controls standards in the Security Rule, as well as NIST encryption guidance including SP 800-111 and SP 800-52.
This policy does more than check a compliance box. It gives your IT team clear, enforceable standards to work from and gives your security officer the documentation needed to demonstrate that encryption requirements are defined and implemented.
What This Template Covers
- Encryption requirements for ePHI at rest across servers, databases, workstations, and removable media
- Encryption requirements for ePHI in transit covering email, web, APIs, and file transfer
- Approved encryption algorithms and minimum key length standards aligned to NIST guidance
- Mobile device and laptop full-disk encryption requirements
- Encryption key management responsibilities and procedures
- Cloud storage and third-party service provider encryption requirements
- Exceptions process and compensating control documentation
- Testing, monitoring, and evidence retention requirements
Who This Is For
Security officers, IT security teams, and compliance professionals at covered entities and business associates who need to formally document their encryption standards as part of a HIPAA-compliant security program.
Delivered as an editable Microsoft Word (.docx) file. Available immediately after purchase.
