Skip to content

Transmission security has a critical role in healthcare

September 26, 2025

In November 2024, the U.S. Department of Health and Human Services’ Office of Civil Rights announced a new enforcement initiative focusing on the requirement under the Health Insurance Portability and Accountability Act of 1996 for covered entities and business associates to conduct accurate and thorough security risk assessments.

With the settlement with BST & Co CPAs LLP, announced on Aug. 18, the OCR is establishing a trend of enforcement actions similar to what was achieved under its Right of Access Initiative announced in 2019.

The risk assessment initiative is something that all covered entities and business associates will need to pay attention to and ensure that their security risk assessments are meeting the expectations of the OCR for being accurate and thorough. This will require an understanding of the legal requirements under HIPAA and a look at all aspects of technology used in the processing of electronic protected health information.

HIPAA establishes requirements for the protection of electronic protected health information through its security and privacy rules.

Under HIPAA, covered entities and business associates are required to ensure the confidentiality, integrity and availability of all electronic protected health information they create, receive, maintain or transmit. They must also protect against reasonably anticipated threats or hazards to the security or integrity of such information.

The HIPAA security rule allows for flexibility in how these standards are met, taking into account factors such as the size, complexity, capabilities, technical infrastructure, costs and potential risks to electronic protected health information. A critical component of these requirements is the encryption of electronic protected health information during electronic transmission to safeguard against unauthorized access or disclosure.

Flexibility of the Security Rule

The security rule establishes standards and implementation specifications for the protection of electronic protected health information. The implementation specifications are split into two categories: required and addressable.

It is easy to understand that required specifications are just that — required — but it is important to clarify that addressable implementation specifications are not optional.

Instead, they provide flexibility for covered entities to implement alternative measures that achieve the same purpose as the addressable specification, provided that such measures are reasonable and appropriate for the entity’s specific circumstances.

When a covered entity determines that an addressable implementation specification is not reasonable and appropriate, it must document the reasons for this determination and implement an alternative measure that accomplishes the intent of the standard. This approach allows entities to tailor their security measures to their size, complexity, capabilities and the nature of the risks to electronic protected health information they face.

Transmission Security

Specifically, Title 45 of the Code of Federal Regulations, Section 164.312(e)(1), requires the implementation of technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted. Encryption is identified as an addressable implementation specification within this section.

Encryption is defined in Section 164.304 as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”

This means that covered entities must evaluate whether encryption, or a similar algorithmic process used to transform data, is a reasonable and appropriate safeguard in their specific environment. If deemed reasonable and appropriate, such a process must be implemented.

Alternatively, if not implemented, the entity must document the rationale and implement an equivalent alternative measure to achieve the same intent of the applicable standard. This process is essential for maintaining the confidentiality and integrity of electronic protected health information.

Necessity of encryption in communication chain

The necessity of using encryption to prevent unauthorized disclosures among entities in the communication chain of a transmission is underscored by the requirement to implement technical security measures to electronic protected health information transmission.

This is especially true when considering the types of transmissions modern covered entities and business associates conduct as part of their daily operations, such as internal transmissions between locations or information systems, transmissions to external entities, or transmission to external vendors such as payment processors.

Each transmission will often transect the networks of multiple entities as part of the communication chain. This can be through an internet service provider, managed security services provider, software-as-a-service vendor, data exchange, transaction processor, or other types of entities before the data gets to the intended recipient.

Some of these transmissions will fall outside of the HIPAA security and privacy rules requirements thanks to an exception defined under the HIPAA omnibus final rule referred to as the conduit exception.

To fit under the exception a fact-based assessment must be conducted to determine if the entity that is aiding in the transmission only has “occasional, random access to protected health information.”

This assessment must look at the data being transmitted in its entirety, including any metadata, to make a proper determination. The conduit exception is very narrowly tailored to account for certain types of service providers such as internet service providers or the postal service or mail couriers.

It is important to note that most data processors have more than random access to electronic protected health information that they process or transmit as necessary to either ensure the security of the information they are processing or to allow for the entity to conduct the service it is providing.

This can be through simple data backup measures or through the technical processing of metadata. Arguably, these transmissions, and the access of the intermediary technology vendors, will have greater than random access to the electronic protected health information contained in the data they process, especially if it is not encrypted.

A good example of this, and one often dealt with by HIPAA privacy officers, is the transmission of electronic protected health information over SMS messages. Often, providers neglect to consider the types of access a telecommunications provider will have to the electronic protected health information contained in these types of messages, which fall outside of the conduit exception.

Transmissions that are encrypted make this assessment and determination easier as technology providers or data processors will not have access to the data unless they have the key to decrypt that data.

Compliance and documentation

Covered entities and business associates must ensure compliance with all applicable requirements of the security rule, including both required and addressable specifications. This involves conducting a thorough risk analysis to identify potential risks and vulnerabilities to electronic protected health information and implementing security measures to mitigate those risks.

When considering electronic transmissions of electronic protected health information, such as information traveling over an internal network or to external partners, such as payment processors or cloud service providers, this will require a detailed look at the data being transmitted to ensure that any electronic protected health information transmitted and any potential access along the communication chain is accounted for.

This includes both the visible information, and the metadata or machine-readable data associated with many modern data types. This assessment must be a dynamic process that reassesses any previous decisions regarding security measures used to protect electronic protected health information.

Consideration must be given to any new technologies or capabilities of the entity, any changes in potential threats or risks to the electronic protected health information, or any other material changes that could affect the security of the electronic protected health information, both while the covered entity or business associate has direct control over the data and while the data is traveling from the covered entity or business associate to another entity.

Additionally, covered entities and business associates must maintain documentation of their security measures and the rationale for any alternative measures adopted in place of addressable specifications.

It is also important to note that there are some electronic transmissions, such as the acceptance and processing of electronic payments for medical services, that must also comply with other industry standards, such as the Payment Card Industry Data Security Standard.

Compliance with these standards does not guarantee compliance with the security rule and should not be considered a substitute for taking measures to meet information security obligations under HIPAA.

Conclusion

In summary, while the HIPAA security rule provides flexibility through addressable specifications, it mandates that covered entities and business associates either implement these specifications or adopt alternative measures that meet the standards’ intent.

This ensures that all entities, regardless of size or complexity, maintain robust protections for electronic protected health information, including during the entire communication chain involving that information.

Electronic transactions, even if done in compliance with other industry standards such as Payment Card Industry Data Security Standard, must be reviewed to ensure that protected health information included in the transactions is protected as required under the security rule through encryption or similar means.

Only through this cybersecurity review and management process will an entity meet their compliance obligations to conduct accurate and thorough security risk assessments as a HIPAA-covered entity or business associate, and, hopefully, remain out of the crosshairs of the new risk assessment initiative.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.

Subscribe for the latest

Subscribe

Related

Legal Updates

California Announces Record $12.75 Million CCPA Settlement with GM Over Connected Vehicle Data

On May 8, 2026, California Attorney General Rob Bonta, together with several California district attorneys and the California Privacy Protection Agency, announced a $12.75 million settlement with General Motors and its connected vehicle service OnStar. The settlement resolves allegations that the companies violated the California Consumer Privacy Act (CCPA), the California Unfair Competition Law, and the California False Advertising Law by collecting and selling connected vehicle data without adequate consumer notice or consent.

Explore more
Legal Updates

Long Saga of Colorado AI Act Appears to Have Come to Close With Revised Law

Ever since its initial passage into law in 2024, the Colorado AI Act has been a lightning rod for controversy and calls for change. Over the ensuing two years, multiple attempts to amend the law were floated and proposed by consumer and industry groups. The implementation of the law itself was delayed several times to allow for such changes, with Governor Jared Polis calling a special session of the legislature last August to specifically address potential changes. All of those attempts appear to have culminated in Senate Bill 189 having passed both the Colorado House (57-6) and Senate (34-1) this week. The bill next heads to the desk of Governor Jared Polis where it is expected to be signed into law and to take effect as of January of 2027.

Explore more
Legal Updates

Using “Schedule A” Litigation to Combat Online Trademark Infringement

In today’s digital world, trademark infringement is a significant concern for businesses aiming to protect their brand identity. Accordingly, it is important for businesses to implement a multifaceted online enforcement strategy to protect their intellectual property rights. Among the various legal avenues available to combat counterfeit goods and unauthorized use of trademarks, “Schedule A” lawsuits, which are most often filed in the U.S. District Court for the Northern District of Illinois, have emerged as a powerful tool. As intellectual property attorneys at Clark Hill, we regularly help businesses secure and enforce their IP rights. Here, we will explore what Schedule A trademark infringement litigation entails, how it works, and why it’s essential for companies to understand this avenue for enforcing their legal rights.

Explore more

The Clark Hill approach is equally pragmatic and growth-minded, which is why we understand our clients’ toughest business challenges. Our multidisciplinary, global team of advisors focuses on smart legal solutions, delivered simply.

© 2026 Clark Hill PLC.