Understanding HIPAA Encryption Requirements: What You Need to Know

In today’s digital healthcare landscape, protecting electronic protected health information (ePHI) is not just a best practice, it’s a legal requirement under the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA does not explicitly require encryption in all cases, failure to implement appropriate safeguards, including encryption when reasonable, can lead to significant security risks and regulatory penalties.

This comprehensive guide explores HIPAA’s encryption requirements, implementation strategies, and real-world implications to help covered entities and business associates reduce risk and remain compliant.

1. Why Encryption Matters Now More Than Ever

The healthcare industry has seen a dramatic rise in cyberattacks, particularly ransomware incidents targeting hospitals, clinics, and their third-party vendors. Why the surge? Medical and dental practices store a treasure trove of data such as names, birthdates, Social Security numbers, diagnoses, prescriptions, insurance information, and even payment methods. This data is incredibly valuable on the black market and is often inadequately protected, especially in smaller or independent practices that lack dedicated IT teams. Remote work, mobile devices, and increased use of cloud storage have also introduced new vulnerabilities. Encryption plays a crucial role in ensuring that even if unauthorized access occurs, the data remains unusable and protected.

Encryption: A Frontline Defense

Encryption is the process of converting data into unreadable code that can only be deciphered with a digital key. When implemented correctly, it ensures that even if data is intercepted or stolen, it remains inaccessible to unauthorized users. HIPAA doesn’t mandate encryption in every instance, but it strongly encourages it.

Key Areas Where Encryption Matters:

➤ Data at Rest: Includes files stored on servers, hard drives, cloud backups, and mobile devices. Encrypting this data protects it in the event of loss or theft.

➤ Data in Transit: Covers emails, patient portal messages, and any information sent between systems. Encryption prevents interception by malicious actors during transmission.

➤ Portable Devices: Laptops, tablets, and USB drives are high-risk assets. Encrypting these devices is vital, especially when staff take them offsite or use them for remote access.

Why It’s Critical Now

1️⃣ Increased Use of Cloud and Mobile Technology: Practices are increasingly relying on cloud-based EHRs, mobile apps, and telehealth services. These conveniences come with new risks. Encryption helps bridge the gap between accessibility and security.

2️⃣ Hybrid Workforces: Remote work and decentralized access have become common, even in healthcare. Encryption helps protect PHI (protected health information) outside the clinic walls, reducing the risk posed by unsecured home networks and personal devices.

3️⃣ Regulatory Scrutiny: State privacy laws (like California’s CPRA) are getting stricter, and federal authorities are becoming less tolerant of preventable breaches. Encryption demonstrates a “good faith effort” to secure patient data, reducing liability and potential fines.

4️⃣ Trust and Reputation: Patients expect their providers to protect their sensitive information. A single data breach can erode years of built trust, and encryption is a tangible step toward preserving that confidence.

Implementing Encryption in Your Practice

Start with a Security Fisk Analysis (SRA) to identify vulnerabilities and determine where encryption can add the most value. Key steps include:

➤ Encrypt all devices used to store or access patient data

➤ Use email encryption for sending PHI

➤ Implement encrypted backups

➤ Choose cloud vendors that offer end-to-end encryption

➤ Train staff on recognizing phishing attempts and securely transmitting data

While many healthcare practices rely on existing staff to conduct a Security Risk Analysis, these employees are often already managing heavy workloads and may lack the time or specialized expertise to address the full scope of HIPAA’s complex security requirements. Engaging HIPAA compliance professionals who specialize in healthcare security can help ensure that the assessment is thorough, accurate, and aligned with current regulatory standards. DoctorsManagement offers a project-based SRA designed to help healthcare and dental practices meet compliance requirements while safeguarding patient data.

2. What Is HIPAA and What Does It Say About Encryption?

HIPAA was enacted in 1996 to protect health information and promote administrative efficiency. The Security Rule, finalized in 2003, established standards for protecting ePHI. The HITECH Act of 2009 emphasized breach notifications and penalties, while the 2013 Omnibus Rule strengthened enforcement. Encryption is considered an “addressable implementation specification”, which means organizations must assess whether encryption is reasonable and appropriate. If it is, they must implement it. If not, they must document why and implement an equivalent safeguard.

What is HIPAA?

HIPAA is a U.S. federal law that was originally designed to improve the portability of health insurance coverage and reduce administrative costs. Over time, it evolved to include strict regulations on the privacy and security of health data, especially with the rise of electronic health records.

The HIPAA framework is built around five major rules, two of which directly impact data security:

➤ The Privacy Rule: Establishes standards for the protection of personal health information (PHI), whether in paper, oral, or electronic form.

➤ The Security Rule: Focuses specifically on electronic PHI (ePHI) and outlines the administrative, physical, and technical safeguards that covered entities and business associates must implement to ensure its confidentiality, integrity, and availability.

What is ePHI?

Electronic Protected Health Information (ePHI) refers to any PHI that is created, stored, transmitted, or received in electronic form. Examples include:

➤ Medical records stored in cloud-based EMRs

➤ Patient information sent via email

➤ Billing or claims data handled by third-party vendors

Any time patient information is stored or transmitted digitally, it becomes subject to HIPAA’s Security Rule and the expectations around technical safeguards, including encryption.

HIPAA Encryption Requirements:

Encryption is not explicitly required by HIPAA, but it is strongly recommended. The key language used in the HIPAA Security Rule is that encryption is an “addressable” implementation specification, not a “required” one. This means:

➤ Covered entities and business associates must assess whether encryption is a reasonable and appropriate safeguard for their operations.

➤ If the organization decides not to implement encryption, it must document why and implement an equivalent alternative.

“Addressable” Doesn’t Mean “Optional”

The term “addressable” is often misinterpreted. It doesn’t mean an entity can skip encryption altogether. Rather, the entity must do one of the following:

1️⃣ Implement the safeguard (i.e., encrypt the data),

2️⃣ Use an alternative measure that achieves the same purpose, or

3️⃣ Determine that the safeguard is not reasonable and document the decision and justification.

In most cases, especially when data is transmitted over the internet or stored on portable devices, encryption is the most practical and defensible option.

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). This NPRM includes the removal of the distinction between “required” and “addressable” implementation specifications and would make all implementation specifications required with specific, limited exceptions.   

Best Practices for HIPAA-Compliant Encryption:

🔐 Use NIST-Recommended Encryption Standards: HIPAA defers to NIST guidelines for defining strong encryption.

🖥️ Encrypt Devices and Storage Media: Laptops, smartphones, USB drives, and backup media should be encrypted, especially if they leave the facility or are used by remote employees.

📧 Encrypt Emails and Texts: Use secure email and messaging platforms with built-in encryption to send patient data, especially between providers, or when communicating with patients.

🌐 Use VPNs and Secure Portals: Implement Virtual Private Networks (VPNs) and secure patient portals for accessing or transmitting PHI remotely.

3. Case Studies: What Happens When You Don’t Encrypt

In the healthcare space, data security is not optional. However, too often, medical practices stumble by overlooking encryption. Encryption is one of the most powerful safeguards healthcare providers can use to protect patient data. Many medical offices either underestimate its importance or delay implementation.

While some may assume a breach “won’t happen to them,” recent years have proven otherwise. Across the country, healthcare providers – from small private practices to large hospital systems –  have faced severe financial penalties and reputational damage after failing to secure data properly. The following case studies from the past three years highlight what happens when encryption and other HIPAA safeguards are overlooked.

1️⃣ Plastic Surgery Associates of South Dakota – $500K Settlement (2024)

PSASD suffered ransomware attacks on workstations and servers, which encrypted sensitive data. The OCR found multiple failures including lack of risk analysis, risk management, and system monitoring. PSASD paid a $500,000 settlement, along with a two-year corrective action plan.

2️⃣ Bryan County Ambulance Authority – $90K Settlement (2024)

This EMS provider experienced ransomware encryption of files affecting over 14,000 patients. OCR cited failure to conduct HIPAA-compliant risk analysis, resulting in a $90,000 settlement and a three-year corrective action plan.

3️⃣ Heritage Valley Health System – $950K Penalty (2024)

Following a malware attack traced back to a business associate, OCR uncovered inadequate risk planning, emergency preparedness, and access controls. The system agreed to pay $950,000 and implement a multi-year corrective action plan.

4️⃣ Mulkay Cardiology Consultants – Class Action Settlement (2025)

A ransomware breach in Sept 2023 exposed data of almost 80,000 patients, including SSNs and insurance information. Though not specifying encryption directly, this breach underscores the risks of lax data protection. The clinic settled, offering affected individuals up to $5,000 for identity theft losses, $500 for expenses, plus credit monitoring and a modest cash payment.

5️⃣ UnitedHealth/Change Healthcare Attack – $2.45 Billion in Projected Costs (2024)

In early 2024, cybercriminals hit Change Healthcare (a UnitedHealth subsidiary), halting claims billing, and pharmacy operations nationwide. The attack exposed sensitive PHI of over 100 million individuals. UnitedHealth acknowledge paying a $22 million ransom along with over $1.6 billion in breach-related expenses and is projected to incur up to $2.45 billion in total costs

These cases illustrate a pattern of neglecting encryption ties directly into broader compliance failures and risk analysis gaps. Encryption is more than a checkbox, it is a foundational safeguard that reduces breach severity, supports regulatory compliance, limits legal and financial exposure, and builds patient trust.

4. Business Associates and Cloud Services: Who’s Responsible?

HIPAA applies not only to covered entities but also to business associates, including cloud storage providers, EHR vendors, and billing services. These third parties must sign Business Associate Agreements (BAAs) and implement proper encryption controls. The U.S. Department of Health and Human Services (HHS) has published specific guidance on HIPAA and cloud computing under its “Special Topics” section, which offers a Q&A format to help HIPAA-covered entities and business associates understand their obligations when using cloud services involving ePHI.

Key Highlights

➤ Cloud Service Providers (CSPs) are considered Business Associates if that handle ePHI – even if the data is encrypted and the provider lacks decryption keys.

➤ Business Associate Agreements (BAAs) are required for covered entities and business associates that do business with any CSP involved in ePHI storage or processing.

➤ Risk Analysis and Management still apply. Using the cloud doesn’t change the obligation to conduct through risk assessments, implement suitable safeguards, and abide by clear contractual responsibilities.

➤ CSPs are not exempt from business associate status, even if they only provide storage or other “no-view” services.

➤ Security Incident Reporting is required by a CSP in the event of a security incident or breach to the covered entity or business associate as specified in the BAA or under HIPAA rules.

➤ International Data Storage is permitted, but with caution. Entities may use CSPs that store ePHI outside the US but must assess and mitigate associated risks in their risk analysis.

5. Recommended Encryption Standards and Tools

HIPAA does not dictate which encryption product or method must be used, but it does set a standards-based framework for how encryption should be implemented. HHS defers to standards from the National Institute of Standards and Technology (NIST), and HIPAA requires the protection of ePHI during both storage (at rest) and transmission (in transit).

Encryption for Data at Rest

➤ Data at rest includes stored files on local servers, cloud databases, mobile devices, USBs, and backup tapes.

▹   Advanced Encryption Standard: AES-128, AES-192, or AES-256 are all acceptable (NIST SP 800-111).

▹  FIPS 140-2 validated cryptographic modules must be used (Federal Information Processing Standard) with the following example implementations:

➤ Full-disk encryption (BitLocker, FileVault, LUKS)

➤ Database encryption (Transparent Data Encryption in SQL, Oracle)

➤ Encrypted backups and storage (Veracrypt, AWS KMS for cloud data at rest)

Encryptions for Data in Transit

➤ Data in transit includes email communications, remote access, file transfers, and patient portal traffic.

▹ Transport Layer Security (TLS) v1.2 or higher (NIST SP 800-52 Rev. 2)

▹ IPSec VPNs (NIST SP 800-77)

▹ SSH/SFTP/SCP for secure file transfer (NIST SP 800-113)

▹ HTTPS with modern cipher suites – disabling SSL and early TLS, which are no longer secure

Mobile Devices and Removable Media

➤ FIPS 140-2 validated AED encryption for USB drives, laptops, smartphones, and tablets.

➤ Mobile device management (MDM) tools for enforcing encryption policies.

HIPAA requires encryption whenever reasonable and appropriate, with NIST standards (AES, TLS, IPSec, FIPS 140-2 modules) forming the benchmark for compliance. While HIPAA doesn’t dictate specific vendors, organizations should choose tools validated under NIST/FIPS standards, enforce them through policy, and include encryption in their risk analysis and BA agreements.

6. Implementation Strategies and Documentation

Protecting patient health information (PHI) is one of the most critical responsibilities for any medical office. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to implement technical safeguards to secure PHI, with encryption being one of the most effective. While HIPAA does not mandate specific encryption technologies, it strongly recommends their use when transmitting or storing PHI electronically. Below is a practical checklist medical offices can follow to ensure HIPAA-compliant encryption, along with strategies for implementation and documentation.

1️⃣ Identify and Classify PHI 

🇦 Inventory all locations where PHI is stored (EHR systems, laptops, cloud services, backup drives).

🇧 Identify workflows where PHI is transmitted (email, patient portals, file transfers).

🇨 Classify PHI according to risk level to prioritize encryption efforts.

2️⃣ Encrypt Data at Rest

🇦 Use full-disk encryption on desktops, laptops, and mobile devices that access PHI.

🇧 Encrypt servers and databases where PHI is stored.

🇨 Secure portable media (USB drives, external hard drives) with encryption or restrict their use entirely.

3️⃣ Encrypt Data in Transit

🇦 Require encrypted email services or secure messaging platforms for patient communication.

🇧 Implement HTTPS/TLS for all web-based applications and patient portals.

🇨 Ensure VPNs or secure tunneling protocols are used for remote access.

4️⃣ Key Management Practices

🇦 Store encryption keys separately from encrypted data.

🇧 Implement role-based access to keys.

🇨 Rotate and retire encryption keys regularly.

5️⃣ Policies and Procedures

🇦 Document a formal encryption policy that defines approved technologies, configurations, and user responsibilities.

🇧 Train staff on secure data handling, including proper use of encrypted systems.

🇨 Include encryption controls in your disaster recovery and incident response plans.

6️⃣ Testing and Auditing

🇦 Conduct regular risk assessments to evaluate whether encryption controls remain effective.

🇧 Perform penetration testing and vulnerability scans to identify gaps.

🇨 Audit logs to track access and verify encrypted communication channels. and retire encryption keys regularly.

7️⃣ Documentation for Compliance

🇦 Maintain written records of encryption solutions implemented, vendors used, and configurations.

🇧 Keep training logs showing staff education on encryption practices.

🇨 Store copies of Business Associate Agreements (BAAs) confirming partners also comply with encryption standards.

7. Conclusion and Call to Action

HIPAA sets the foundation for protecting patient privacy, and for most medical and dental practices, encrypting ePHI is not only reasonable but essential. From laptops to emails, servers to smartphones, encryption protects both your patients and your organization. By embracing encryption as part of your HIPAA compliance strategy, you’re not just meeting regulatory standards – you’re fostering trust and defending against an increasingly hostile digital landscape.

Call to Action

Don’t wait until a breach forces your practice to take action. Now is the time to review your systems, identify vulnerabilities, and put encryption safeguards in place. Our team can guide you through risk assessments, staff training, and the implementation of HIPAA-compliant policies tailored to your organization.

👉 Contact us today to schedule a consultation and take the next step toward stronger HIPAA compliance and data security.

Contact Us