...
Answer (Crowell & Moring LLP - Jodi Daniel - 11/20/23):
The rules do not require encryption. Encryption is “addressable” under the Security Rule. This means that the CE must assess whether encryption is reasonable and appropriate, and implement encryption if it is reasonable and appropriate to do so, or document why it would not be reasonable and appropriate and implement an alternative measure. The compliance requirement applies to the CE, not NACHC who is receiving the data. That said, there is a benefit of encryption. If data is breached and it is encrypted in accordance with OCR guidance, then there is no requirement to do breach notification under HIPAA.
NIH guidance on privacy and security/HIPAA for limited data sets: