HIPAA encryption requirements

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and third parties to safeguard patient information against accidental exposure and malicious data breaches. Failure to do so risks multi-million dollar penalties and reputational harm, making data encryption critically important.

This article will explore the relationship between HIPAA and encryption. This is a major topic because HIPAA encryption requirements are vague in places, yet the consequences of non-compliance are severe. We need more clarity about what HIPAA requires and how to achieve compliance.

What are HIPAA encryption requirements?

Under the HIPAA Security Rule in Title 45 CFR, Part 164, Subpart C, regulated entities must implement technical safeguards to protect electronic protected health information (ePHI).

The addressable specification at 45 CFR §164.312(a)(2)(iv) says entities should “implement a mechanism to encrypt and decrypt electronic protected health information.”

For transmissions, 45 CFR §164.312(e)(2)(ii) is addressable and requires encryption if reasonable and appropriate based on risk analysis. Encryption of ePHI is not automatically mandatory; entities must implement it when reasonable and appropriate, implement an equivalent alternative, or document why neither is reasonable, per HHS’s addressable-vs-required guidance.

HIPAA doesn’t prescribe algorithms, but HHS recognizes data as “secured” (and exempt from breach notification) when encryption follows NIST guidance and uses FIPS-validated cryptography (e.g., NIST SP 800-111 for storage; SP 800-52/77/113 for data in motion). This situation creates space for many potential solutions, depending on the needs of individual organizations.

Does HIPAA require encryption?

HIPAA does not mandate encryption outright. But because it’s addressable, entities must implement it when reasonable and appropriate, implement an equivalent alternative, or document a risk-based rationale.

Rules regarding encrypted data appear in the addressable implementation section of Article 45 of the HIPAA Security Rule. Organizations must implement encryption if a risk assessment finds that encrypting data is reasonable and appropriate.

In practice, encryption is strongly expected for systems that create, receive, maintain, or transmit ePHI, unless a documented risk analysis justifies an equivalent alternative.

If other means are available to protect PHI effectively, then encryption may not be necessary. The rule is meant to be flexible and should accommodate different organizational needs. However, organizations should document their reason for not encrypting data.

The importance of HIPAA encryption for ePHI

Modern healthcare organizations collect vast amounts of information about patients and treatment providers. Much of this data qualifies as protected health information (PHI) if the information can be used to identify an individual. In this case, the information requires protection under HIPAA.

Examples of PHI include:

• Personal names
• Street addresses and phone numbers
• Email addresses
• Social security numbers
• Medical record numbers
• Vehicle license numbers
• Health plan beneficiary numbers
• IP addresses
• Biometric identifiers
• Facial photographs

Encryption technologies matter because they allow covered entities to safeguard the PHI types listed above.

Encryption applies complex algorithms to convert PHI into unreadable strings of characters. As a result, cyber-attackers cannot access encrypted data for sale on the Dark Web or for private criminal purposes.

Encryption of data at rest protects stored personal information against data theft. Encryption of data in transit protects data transfer systems, enabling healthcare organizations to communicate securely with service users and partners.

Under 45 CFR Part 164, encryption helps prevent unauthorized access to ePHI and supports Security Rule safeguards. Encryption also helps organizations comply with the HIPAA Privacy Rule by ensuring patient confidentiality.

Previously, organizations reliant on paper records and on-premises data storage may not have needed encryption systems to ensure compliance. However, encryption is a vital HIPAA compliance tool for companies that use cloud storage or transmit PHI over the internet.

Case studies: Why HIPAA encryption requirements matter

Simple encryption measures can avoid significant compliance penalties, and real-world examples demonstrate the importance of encryption in HIPAA-compliant organizations.

• The University of Rochester (URMC): In 2019, URMC paid a $3 million HIPAA fine after failing to encrypt mobile devices used by staff. The University has 26,000 healthcare staff. However, the penalty occurred following the loss of a single unencrypted flash drive and laptop. HHS investigators found that the lack of encryption posed a “high risk” to patient privacy and safety, resulting in a HIPAA compliance violation.
• Children's Medical Center of Dallas (CMCD): CMCD suffered a similar HIPAA compliance failure in 2017. Investigators levied a $3.2 million fine due to the theft of an unencrypted employee Blackberry and a staff laptop. The fine was increased due to repeated warnings to implement encryption, highlighting the need for swift action when companies detect unsecured devices.

Both of the examples above highlight the value of encryption in mitigating compliance risks. Without encryption, device theft or loss may expose electronic PHI to unauthorized access. If ePHI is encrypted consistent with NIST/HHS guidance and the key isn’t compromised, it’s considered “secured,” and breach notification isn’t required under the Breach Notification Rule.

HIPAA encryption requirements under the security rule

The HIPAA Security Rule deals with securing patient data against malicious actors. What does the Security Rule say about HIPAA encryption standards?

Under the HIPAA Security Rule, data encryption applies to stored and transferred data. This is an important distinction, as encryption tools vary depending on where data resides and who is using it. Let's discuss both aspects of encryption before suggesting some HIPAA compliance best practices.

Data at rest

Data at rest includes data that is stored on devices and does not move throughout the network. For instance, companies may store protected health information in cloud containers, local SSD drives, or third-party backup servers.

For data at rest, HHS points to NIST SP 800-111 (“Guide to Storage Encryption Technologies for End User Devices”). Covered entities and business associates should refer to NIST guidance for detailed technical recommendations.

NIST recommends using Full Disk Encryption (FDE) for devices containing ePHI. Organizations should combine FDE with virtual disk encryption and file or folder-level encryption to add an extra layer of protection for sensitive data.

Organizations should also take a device-centric approach to encryption requirements. For example, employees may store patient data on mobile devices as part of everyday duties. In this case, security teams must ensure employees use device-specific encryption techniques.

Use FIPS 140-validated cryptographic modules and NIST-approved algorithms (e.g., AES-128/256) appropriate to risk and system design; HIPAA doesn’t require AES-256 specifically. Cutting-edge solutions are critically important.

The bottom line is that every device containing data-at-rest must encrypt PHI to make the organization HIPAA compliant.

Data in transit

Data-in-transit moves between different devices and users. For example, healthcare providers often receive personal information from patients and share this with insurance companies or third-party medical partners.

Securing data in transit presents different technical challenges when meeting HIPAA encryption requirements. Cyber criminals can exploit insecure data transfers via man-in-the-middle and malware attacks, exposing critical data to unauthorized actors.

NIST also provides guidance for meeting HIPAA encryption standards for data-in-transit. In this case, the relevant documents are NIST Special Publication 800-77 ("Guide to IPsec VPNs") and NIST Special Publication 800-52 ("Guidelines for the Selecting, Configuring, and Using Transport Layer Security (TLS) Implementations").

The above NIST documents deal with encryption protocols for transferring data. NIST SP 800-77r1 gives practical guidance for configuring IPsec VPNs to protect data in transit, aligning with HHS’s recognized encryption approaches.

NIST SP 800-52r2 provides TLS selection and configuration guidance; TLS 1.2 minimum with support for TLS 1.3 is recommended by NIST (widely followed in healthcare). This adds another layer of PHI protection, especially via web applications. NIST guidance discusses how to configure TLS in health settings and critical challenges like validating certificates or disabling outdated protocols.

Do business associates need to encrypt data under HIPAA?

HIPAA encryption requirements apply to both covered entities and third parties that receive, use, or store electronic PHI. Covered entities must ensure that business associates understand encryption requirements and put systems in place to safeguard PHI.

Ensure BAAs require safeguards consistent with the Security Rule; HIPAA references §164.308(b) (BA oversight) and §164.314(a) (organizational requirements for BA contracts). BAAs enforce contractual requirements to ensure HIPAA compliance and protect covered entities. In the event of a HIPAA violation by a third party, the covered entity can show that it took reasonable steps to ensure data encryption.

Specify use of FIPS 140-validated crypto and NIST-aligned protocols (e.g., AES in validated modules; TLS per NIST SP 800-52) for data at rest and in transit. Regularly assess each business associate agreement to ensure compliance, and highlight potential violations with associates before they lead to HIPAA penalties.

Best practices for ensuring HIPAA encryption compliance

Encryption is a critical aspect of meeting HIPAA Security Rule requirements. However, encryption presents technical and regulatory challenges for covered entities. Here are some encryption best practices to enhance compliance and avoid actionable data breaches.

Use recognized security frameworks for guidance

For starters, organizations do not operate in a vacuum. NIST frameworks supply essential guidance when implementing encryption and related technologies (such as VPNs and access controls). Leverage all available assistance to cover every compliance base.

Apply Full Disk Encryption for work devices

Prefer FIPS 140-validated full-disk or file-level encryption for devices storing ePHI (see NIST SP 800-111 for storage guidance). This ensures that data remains inaccessible if the device is stolen or lost. Regulators generally assess that device encryption meets “addressable” requirements as the organization has taken proactive steps to safeguard confidential data.

Implement strong encryption for data-in-transit

As discussed earlier, encrypting data transfers is an addressable requirement under HIPAA. Organizations should safeguard data transfers via robust TLS 1.2 encryption (or higher). Regularly assess transfer systems to remove deprecated protocols and ensure TLS applies to all data movements.

Use encrypted off-site backup providers

Data backups are essential to restore functionality and ensure service availability during network incidents. This helps organizations meet HIPAA physical safeguards by protecting patient information against destruction or theft.

However, backup services should meet HIPAA encryption requirements. Write and implement watertight business associate agreements with data storage partners, including specific encryption standards.

Use secure email services

Email is a common point of PHI exposure. Employees may accidentally send PHI to unauthorized contacts, while criminals can intercept and easily read unencrypted emails.

Prefer TLS 1.2/1.3 for email in transit or portal-based message encryption; HIPAA allows unencrypted email to patients if they’re warned of risks and still request it. Encrypted email services require authentication at both ends of the chain before decoding messages. This ensures only authorized contacts can access PHI sent via email.

Additionally, secure email services maintain activity logs. Organizations can generate records of who accessed PHI and who received it. This provides valuable evidence of compliance and assists HIPAA security audits.

Adopt secure key management policies

Managing encryption keys is a critical part of HIPAA encryption requirements. Set key lifetimes and rotation based on NIST SP 800-57 key-management guidance and system risk, not a fixed calendar interval.

Use secure hardware modules to store encryption keys or select a secure cloud key management partner. And use role-based access controls to limit access to encryption keys. Access should be tightly restricted to security professionals.

Operate dynamic risk assessments

HIPAA compliance rests on effective data security risk assessments. Companies must assess the data they process and store to identify PHI and highlight urgent security risks.

Crucially, risk assessment is not a one-time task. Security teams should regularly assess data encryption methods to verify they comprehensively cover ePHI. Monitoring should also be continuous and dynamic. Logs should record key status and data operations to identify potential compliance violations.

Extend encryption to mobile devices and remote work settings

Many healthcare organizations depend on remote work and telemedicine services. However, remote work creates security risks without robust encryption. Reliable virtual private networks encrypt data in transit. Security teams should also strictly enforce the encryption of mobile devices and laptops.

Train staff to understand HIPAA compliance

Network-wide encryption relies on employees to operate authorization systems and encryption protocols. Security teams should train staff to safeguard data and emphasize the implications of lax data security behavior.

Under HIPAA, employees may also have notification duties. Ensure stakeholders understand the need to report data breaches and encryption violations promptly.

Staff can also be a valuable source of intelligence about encryption failures. For example, employees may report issues regarding mobile phone encryption or draw attention to coordinated phishing attacks.

In summary: Treat encryption as a HIPAA essential

Technically, encryption is defined as “addressable” under HIPAA. However, this is misleading. Covered entities and business associates alike should regard data encryption as an essential component of HIPAA compliance.

Data encryption cuts the risk of data exposure, limits access to authorized network users, and ensures patient privacy by blocking outsiders. In a world where criminals constantly seek access to electronic PHI, robust encryption is the core of HIPAA-compliant data security—not an optional extra.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. The laws, regulations, and penalties discussed are subject to change and may have been updated since the time of publication. We recommend consulting with a qualified legal professional for guidance on your specific compliance needs.