HIPAA Encryption: Requirements, Best Practices & Software

HIPAA Encryption: Requirements, Best Practices & Software

Wondering if HIPAA requires encryption? We are going to cover when encryption is required, what type is best and software to maintain compliance.

Does HIPAA require encryption? Yes, HIPAA requires encryption of protected health information (PHI) and electronic PHI (ePHI) of patients when the data is at rest, meaning the data is stored on a disk, USB drive, etc. However, there are very specific exceptions.

Encrypting Patient Health Information and the Modern Threats Landscape

In November 2019, an unencrypted laptop and flash drive were stolen from The University of Rochester Medical Center (URMC). As a result, the URMC paid $3 million to the Office for Civil Rights (OCR) as part of a settlement due to potential violations of HIPAA security requirements.

While the loss of PHI is problematic enough, the OCR investigation illustrated a breakdown in security implementation across the organization, including a failure to conduct sufficient risk analysis (and subsequently reduce risk and vulnerabilities) and a lack of proper device encryption that had already been flagged as a problem nine years prior.

In a world of electronic data transfers and mobile devices, there are dozens of ways that security can break down and lead to HIPAA non-compliance. All of these ways point back to the necessity of strong HIPAA-compliant implementation.

Download HIPAA eBook

How Does Data Encryption for Patient Privacy Work?

Data encryption for patient privacy works by scrambling personally identifiable information and personally identifiable information and protected health information (PII/PHI), including text and images, in such a way that it cannot be read or understood by anyone other than those with the appropriate permission or access privileges. To accomplish this, the data is transformed through an encryption algorithm using a key (known only to authorized parties). The encrypted data can then be safely stored, transmitted, and accessed by authorized individuals. Data encryption also provides data integrity, meaning it can detect if any changes have been made or if anything has been deleted without authorization. This helps to prevent data breaches and ensure patient privacy.

What Are HIPAA Encryption Requirements for Electronic Patient Health Information?

HIPAA establishes three foundational rules for protecting patients and their information:

  1. The Privacy Rule, which outlines protected health information and documentation.
  2. The Breach Notification Rule, which defines how your organization must report a HIPAA breach to authorities and patients after a security breach.
  3. The Security Rule, which establishes security standards for the storage and transmission of ePHI.

These requirements include the responsibility to maintain the confidentiality and security of ePHI, to protect against threats against that security, and to, within reason, anticipate future threats to that information.

While these general requirements inform more specific requirements related to administration, risk management, and technical implementation, they do not specify any particular protocol, technology, or standard. They do, however, specify that healthcare entities must implement reasonable security measures to protect ePHI wherever it is, or justify why they do not do so. The idea here is that, as technology scales and threats evolve, so too must HIPAA security technologies (including security software).

So, the short answer is that the Security Rule doesn’t spell out an encryption protocol to use–and that can seem confusing at first. There are, however, several requirements built in the law to specify the required strength and reliability of a security standard for it to be used as a method of securing ePHI based on recommendations by the National Institute of Standards and Technology (NIST).

According to HIPAA, encryption software must meet minimum requirements relevant to the state of that information, whether it is at rest or in transit.

Encryption—The Required Addressable Requirement

Encryption is a critical aspect of the HIPAA Security Rule, which sets forth standards for protecting ePHI. While encryption is categorized as an “addressable” requirement, it is generally considered indispensable due to the increased risk of data breaches and cyberattacks in today’s digital healthcare environment.

Understanding the Addressable Nature of Encryption Under the HIPAA Security Rule

Under the HIPAA Security Rule, encryption, once again, is deemed an “addressable” requirement. This term might initially imply that encryption is optional, but that is not entirely accurate. “Addressable” does not mean neglectable. Instead, covered entities must assess whether encryption implementation is reasonable and appropriate within their specific context. If a covered entity opts not to encrypt ePHI, it must document the rationale behind this decision and implement an equivalent alternative measure to protect ePHI.

The Consequences of Not Implementing Encryption or Equivalent Measures

Failing to implement encryption or an equally effective alternative can lead to severe consequences, including data breaches resulting in financial penalties, reputational damage, and potential patient harm. Furthermore, suppose a violation does occur, and the OCR determines that encryption could have prevented or mitigated the breach. In that case, the covered entity may be liable for not adequately addressing this HIPAA requirement.

Ultimately, while HIPAA categorizes encryption as an “addressable” requirement, it is practically a necessary measure in today’s healthcare landscape. By implementing robust encryption strategies, healthcare organizations can significantly enhance the security of ePHI, ensuring compliance with HIPAA and fostering trust among patients.

HIPAA Encryption Requirements for Data at Rest

HIPAA sets forth vital security measures to protect the integrity and confidentiality of PHI. Among these measures, the encryption of data at rest—particularly data stored on digital devices—is a crucial component. HIPAA’s encryption requirements draw heavily from the NIST Special Publication 800-111, which provides guidelines for storage encryption technologies.

Data at Rest in a Healthcare Setting

“Data at rest” refers to content stored in a static state on digital devices, such as servers, hard drives, solid-state drives, or mobile devices like smartphones and tablets. This data is particularly vulnerable to unauthorized access, especially in cases of device theft, loss, or improper disposal. Given the sensitive nature of PHI, securing data at rest (and in transit) is paramount in healthcare settings to prevent breaches and maintain patient trust.

NIST Special Publication 800-111: A Comprehensive Guide to Storage Encryption Technologies

The NIST Special Publication 800-111, titled “Guide to Storage Encryption Technologies for End User Devices,” is the cornerstone of HIPAA’s encryption requirements for data at rest. This guide provides a comprehensive overview of various encryption technologies that can ensure data security stored on different types of devices.

Implementing Advanced Encryption Technologies for Secure Data Storage

The NIST guide recommends using advanced encryption technologies to safeguard data at rest. These technologies, which include cryptographic algorithms and techniques, render data unreadable without a proper decryption key. Full disk encryption (FDE) is one technique that encrypts all data on a storage device, including user and system files. Similarly, virtual disk encryption creates an encrypted container or “virtual disk” on the machine, providing an added layer of security.

The Need for Robust Encryption Strategies for Mobile Devices in Healthcare

In addition to servers and computers, the NIST guide emphasizes the criticality of encrypting data on mobile devices. Given their portable nature and associated risk of theft or loss, mobile devices can pose significant security challenges. Implementing robust encryption methods for these devices is essential to prevent unauthorized access to stored PHI, even if the device falls into the wrong hands.

HIPAA Encryption Requirements for Data in Transit

When data is “in transit,” it is actively moving between a sender and a destination. This can include sharing PHI between two health care providers via email or other software, transmitting to cloud storage, or transmitting between central servers and mobile devices.

In transit, HIPAA cites NIST Special Publication 800-52 “Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations” and 800-77 “Guide to IPsec VPNs.” These publications outline proper procedures for securing data.

HIPAA Encryption Protocols and Their Role in Protecting ePHI

Maintaining strong encryption for data at-rest across all computers and devices in your network, alongside strong protection for in-transit information, will help keep ePHI private while demonstrating to the Department of Health and Human Services that you’re using reasonable and appropriate end-to-end security measures.

There are several compliant measures that can support HIPAA compliance, for example, the Advanced Encryption Standard (AES-256). AES encryption is a symmetric method established by the U.S. National Institute of Standards and Technology. Through a series of robust security steps and a complex 256-bit decryption key, this standard is nearly impossible to break with brute-force methods and has been approved for the handling of confidential data by the U.S. Government.

Transport Layer Security (TLS) is another protocol that can also support secure data transmission over the web via HTTPS, email or instant messaging. This protocol uses AES-256 plus additional security measures to secure data transfer.

OpenPGP (Pretty Good Privacy) and S/MIME are both compliant, but require complex public key management, which can prove clunky and too time consuming for most organizations. AES-256 and TLS 1.2 don’t have those issues, which is why Kiteworks utilizes them over other security measures.

These technologies can make it harder to send messages because they require an organization to manage public security keys, and it doesn’t necessarily preclude email messages from being compromised in insecure email environments.

As a rule, a secure system should include AES-256 encryption for data at-rest and TLS for data in-transit. To avoid requiring public-key encryption for emails, Kiteworks utilizes secure data servers and transmits links to users. So, rather than sending encrypted data through email directly, Kiteworks sends a link to a secure site with user authentication where the recipient can view that information safely.

Where Are the Biggest Cracks in Your HIPAA Encryption Armor and How Can Encryption Safeguard That Data?

Put advanced encryption in place as the first step in ensuring HIPAA compliance. However, several factors can undermine that protection, opening up non-compliance issues and exposing patient data:

Unsecured Email Systems and Servers:

Your employees will inevitably send PHI either through emails or as email attachments. When they refer a patient to a specialist doctor, for example, they need to send records full of PHI to that doctor’s clinic.

Leading secure email products today can ensure HIPAA compliance for all your employees’ private emails and attachments. Choose one that is as simple as normal email, doesn’t require users to manage keys, and even handles huge diagnostic files, so users are not tempted to bypass it in an emergency. Be sure patients, colleagues, and insurance carriers can receive and reply securely without special software.

Lost and Stolen Devices:

More healthcare staff are using laptops, tablets, and mobile phones to do their work, which means handling ePHI through those devices on a regular basis. A stolen laptop with an unencrypted hard drive is a huge security risk and a point of non-compliance for your organization. Likewise, mobile devices using unsecured apps can open your organization to non-compliance even if the device itself is encrypted. Providers like Kiteworks offer secure mobile apps that can meet HIPAA encryption standards.

Staff and Training:

Weak passwords, poor email habits, downloaded malware on company devices, or poor browsing habits can open the door for attackers to grab PHI regardless of what security your organization uses. While HIPAA encryption can protect against some of these attacks, it can’t protect against a lost or stolen device with a key and access to critical ePHI data.

Rotating Encryption Keys and Certificates:

The best security in the world can’t stop someone with the right key. Regular rotation of keys and certificates can make your infrastructure more resilient to security breaches due to compromised keys.

Third-party Partners:

If your organization works with subcontractors, vendors, or other associates, your organization could be held liable for their lack of HIPAA compliance. When you have a Business Associate Agreement with a vendor, it’s where liability falls when a breach occurs. Kiteworks has a standing BAA that it enters into with any partner in the healthcare industry to maintain HIPAA compliance and protect both organizations and patients.

Weak Encryption:

Old computers, servers, and devices may not have the appropriate protections installed. If data is stored on these devices for production use or just for backup, you’re exposing that data and your organization to non-compliance.

Meet HIPAA Encryption Requirements for Your ePHI With Kiteworks

Healthcare organizations must have the right technical security standards in place to protect ePHI. Encrypting data on servers and during transmission is a necessary part of HIPAA compliance, and that necessity also carries over to third-party cloud and IT vendors that they work with.

Kiteworks provides enterprise-grade managed file transfer and security services for partners in healthcare. Kiteworks follows all HIPAA requirements so that any data stored or transported through our systems, whether via file transfer, email, or cloud storage. This includes several HIPAA-compliant services and technologies like mobile apps, secure managed file transfer, content firewall software.

That means that when you enter into a BAA with us, you can trust that patient data is safe and secure, and your organization is compliant.

To learn how Kiteworks can help keep you HIPAA compliant, schedule a custom demo of Kiteworks today.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo