HIPAA Encryption Requirements: An Updated Guide

TLS 1.2 and 1.3 are widely accepted in healthcare. Older versions (such as TLS 1.0 and 1.1) are generally considered deprecated and should be disabled.

How to Encrypt Healthcare Data at Rest

Data at rest includes any ePHI stored on devices, servers, databases, or backups when it is not actively moving across a network. Because device loss and server compromises are common, encryption at rest is a core safeguard.

Full Disk Encryption

Full disk encryption (FDE) encrypts an entire storage drive, including the operating system and all files. It is often used for:

• Laptops and desktops

• Mobile devices

• Some on-premises and cloud servers

If a device using FDE is lost or stolen and is powered off or locked, the data on the drive remains protected.

Virtual Disk or Volume Encryption

Virtual disk encryption creates an encrypted container, volume, or partition for sensitive data. This approach works well when:

• You cannot turn on FDE for technical reasons, or

• You want to keep ePHI isolated from other data on the same device.

File and Folder-Level Encryption

File and folder-level encryption protects specific files or directories that contain ePHI. It offers granular control but requires robust processes to ensure that all ePHI is consistently stored in encrypted locations and not copied elsewhere in plain text.

How to Encrypt Data in Transit Under HIPAA

Data in transit includes ePHI sent over networks via:

• Web applications and patient portals

• APIs and web services

• Email and secure messaging

• File transfers and remote access tools

Because network traffic can be intercepted or observed, encryption in transit is a key safeguard in HIPAA risk management.

Transport Layer Security (TLS)

TLS is used to encrypt:

• Browser sessions (HTTPS)

• API calls

• Many email connections (SMTP, POP, IMAP with TLS)

Configure TLS to:

• Use current protocols (TLS 1.2 or 1.3)

• Disable weak ciphers and legacy versions

• Enforce HTTPS for web applications that handle ePHI

IPSec Virtual Private Networks

IPSec-based VPNs create encrypted tunnels for remote access. They are commonly used to:

• Allow clinicians and staff to connect securely from home or remote clinics

• Connect on-premises data centers to cloud environments

• Protect traffic between sites or networks that carry ePHI

HIPAA Database Encryption Considerations

Databases that contain ePHI are high-value targets for attackers. Encrypting databases provides protection beyond filesystem or storage-level encryption.

Transparent Data Encryption (TDE)

Transparent Data Encryption encrypts database files on disk without requiring application changes. TDE typically protects:

• Data files

• Transaction logs

• Database backups

TDE is a straightforward way to add encryption at rest for relational databases that store ePHI.

Column-Level Encryption

Column-level encryption is used for specific sensitive fields, such as:

• Social Security numbers

• National identifiers

• Diagnoses or highly sensitive clinical notes

This approach allows you to encrypt only the most sensitive columns while leaving other fields readable for reporting or analytics.

Application-Level Encryption

With application-level encryption, the application encrypts data before writing it to the database. Even if the database or storage layer is compromised, the attacker sees only ciphertext.

Application-level encryption is more complex to design and operate but can provide a stronger separation of duties and limit who can decrypt ePHI.

HIPAA Encryption Key Management Best Practices

Encryption is only as strong as your key management practices. Poor key management can undo the benefits of encryption.

Key Generation and Storage

• Generate keys using strong, approved methods.

• Store keys separately from the encrypted data.

• Use hardware security modules (HSMs) or managed key management services where possible for systems that handle large volumes of ePHI.

Key Rotation and Lifecycle Management

Define and enforce a key lifecycle that covers:

• Key creation and distribution

• Regular rotation

• Archival and recovery procedures

• Secure destruction when keys are no longer needed

Long-lived, rarely rotated keys increase risk.

Access Controls for Encryption Keys

• Limit access to keys to a small group of authorized personnel.

• Enforce least privilege and separation of duties.

• Log and monitor all key access and administrative actions.

In practice, you should be able to show:

• Separate storage of keys and data

• Detailed access logging and alerts

• Regular rotation based on policy

• Documented procedures for secure key destruction

How Firewalls Support HIPAA Security

While HIPAA does not prescribe a specific firewall product, network security controls such as firewalls and intrusion detection systems support the Security Rule’s technical safeguards.

Effective firewall configurations can help:

• Segment networks: Isolate systems that store or process ePHI from general corporate or guest networks.

• Control access: Limit inbound and outbound traffic to only what is needed for clinical and business workflows.

• Detect intrusions: Monitor for suspicious connections, port scans, or abnormal traffic patterns.

• Provide audit trails: Log network activity to support investigations and demonstrate due diligence.

Keep firewall rules and firmware up to date, and review configurations regularly as part of your risk management program.

What Happens If You Do Not Encrypt PHI

Not encrypting ePHI where it is reasonable and appropriate creates significant financial, legal, and reputational risk. According to IBM's 2025 report, healthcare data breaches cost an average of $7.42 million per incident—the highest of any industry for the fourteenth consecutive year.

OCR Enforcement Actions and Penalties

OCR enforces HIPAA and has issued significant penalties where encryption was missing or poorly implemented. The penalty structure ranges from unknowing violations to willful neglect and can reach $2,190,294 per violation category, especially when organizations fail to correct known gaps.

Breach Notification Obligations

If unencrypted ePHI is lost, stolen, or accessed by an unauthorized party, you generally must:

• Conduct a breach risk assessment, and

• Notify affected individuals, HHS, and in some cases the media (for incidents affecting 500 or more individuals).

When ePHI is encrypted in line with recognized standards and keys remain secure, many incidents will not meet the definition of a reportable breach, reducing the likelihood of large-scale notification and public reporting.

Reputational and Business Impact

Beyond regulatory penalties, failures to encrypt ePHI can lead to:

• Loss of patient and member trust

• Contract terminations or lost renewals

• Increased scrutiny from partners, payers, and regulators

• Higher costs for remediation, monitoring, and litigation

How Continuous Compliance Simplifies HIPAA Encryption

Manually tracking encryption controls, gathering screenshots, and assembling evidence before an audit is slow and error-prone. As environments grow, it becomes harder to know whether all systems that touch ePHI are:

• Encrypted at rest where appropriate

• Using strong, current protocols in transit

• Covered by consistent key management policies

Continuous compliance platforms help by:

• Automating evidence collection from your infrastructure, devices, and cloud services

• Continuously monitoring encryption-related controls and configurations

• Surfacing gaps before they become audit findings or breaches

• Maintaining audit-ready documentation for frameworks like HIPAA over time

Instead of scrambling to prove encryption after the fact, teams can see their control posture in near real time and remediate issues early.

FAQs About HIPAA Encryption Requirements