⚠️ January 2025 HIPAA Security Rule Updates Now in Effect
HIPAA Ready Check
Enhanced Standards

Enhanced Encryption Standards for 2025

The 2025 HIPAA updates establish stricter encryption requirements for protecting electronic PHI both at rest and in transit. Organizations must upgrade to modern cryptographic standards and discontinue deprecated protocols.

What Changed in the 2025 Update

Before 2025

Encryption was "addressable" under the Security Rule

No specific cryptographic standards mandated

Organizations could use outdated protocols (TLS 1.0, 3DES)

Alternative safeguards allowed in place of encryption

Inconsistent implementation across healthcare sector

Effective January 2025

Encryption is now "required" for all ePHI

Specific standards mandated (AES-256, TLS 1.2+)

Deprecated protocols must be disabled

Key management requirements established

Regular encryption audits required

Implementation Timeline

Organizations have a 6-month window to achieve full compliance with the new encryption standards. However, certain deprecated protocols must be disabled immediately.

  • Now:Disable SSL 2.0/3.0, TLS 1.0, RC4, DES
  • March 2025:TLS 1.1 must be disabled
  • June 2025:Full compliance with AES-256 and TLS 1.2+ required

Two Types of Encryption Required

You must protect PHI both when stored and when transmitted

Data at Rest

PHI stored on servers, databases, laptops, mobile devices, and backup media

AES-256 encryption minimum

Where This Applies:

  • Database servers containing PHI
  • File servers and network-attached storage
  • Laptop and desktop hard drives
  • Mobile devices (phones, tablets)
  • Removable media (USB drives, external drives)
  • Backup tapes and archives
  • Email servers and archives
Data in Transit

PHI transmitted across networks, internet, or between systems

TLS 1.2 or higher minimum

Where This Applies:

  • Web applications accessing PHI
  • Email containing PHI
  • File transfers (FTP, SFTP)
  • Remote desktop connections
  • VPN tunnels
  • API calls and integrations
  • Mobile app communications

Required Encryption Standards

CategoryStandardPrimary UseStatus
Symmetric EncryptionAES-256 (Advanced Encryption Standard)Data at rest, bulk encryptionRequired
Transport Layer SecurityTLS 1.2 or 1.3HTTPS, secure communicationsRequired
SSH/SFTPSSH-2 with strong key exchangeSecure file transfer, remote accessRecommended
Email EncryptionS/MIME or PGP/GPGEnd-to-end email encryptionRequired for PHI in email
Full Disk EncryptionBitLocker, FileVault, LUKSLaptops, desktops, mobile devicesRequired
VPN EncryptionIPsec or OpenVPN with AES-256Remote access to internal systemsRequired

Deprecated Technologies - Must Disable

These encryption methods are no longer acceptable under HIPAA

SSL 2.0 and 3.0

Must be disabled immediately

Multiple critical vulnerabilities (POODLE, etc.)

TLS 1.0 and 1.1

Must migrate to TLS 1.2+ by March 2025

Weak cryptographic algorithms, deprecated by NIST

RC4 Stream Cipher

Must be disabled immediately

Cryptographically broken, vulnerable to attacks

DES and 3DES

Must migrate to AES by June 2025

Insufficient key length, vulnerable to brute force

MD5 and SHA-1 Hashing

Must migrate to SHA-256+ immediately

Collision vulnerabilities, cryptographically weak

Action Required

Run vulnerability scans and protocol audits to identify systems still using deprecated encryption methods. Organizations found using these protocols after the deadline will face increased scrutiny and potential enforcement actions.

Implementation Checklist by System Type

Servers & Databases
  • Enable full-disk encryption on all servers containing PHI
  • Configure database encryption (Transparent Data Encryption)
  • Encrypt backup files and archives
  • Implement encryption key management system
  • Document encryption methods and key rotation procedures
Workstations & Laptops
  • Enable BitLocker (Windows) or FileVault (Mac) on all devices
  • Enforce encryption through Group Policy or MDM
  • Verify encryption status in asset inventory
  • Train users on encryption recovery procedures
  • Secure encryption recovery keys in separate location
Mobile Devices
  • Require device encryption for all smartphones and tablets
  • Enforce encryption through Mobile Device Management (MDM)
  • Implement container/app-level encryption for PHI apps
  • Enable remote wipe capability
  • Restrict access to unencrypted devices
Network Communications
  • Disable TLS 1.0 and 1.1 on all web servers
  • Configure TLS 1.2+ with strong cipher suites
  • Implement HSTS (HTTP Strict Transport Security)
  • Use certificate pinning for mobile applications
  • Monitor and alert on unencrypted connections
Email Systems
  • Enable TLS for all email transmission (STARTTLS)
  • Implement S/MIME or PGP for PHI in email body
  • Configure email gateway encryption policies
  • Train staff on secure email transmission
  • Provide secure portal for PHI sharing instead of email
Cloud Services
  • Verify cloud provider uses AES-256 encryption at rest
  • Ensure TLS 1.2+ for all data transmission
  • Implement client-side encryption where possible
  • Review vendor encryption key management practices
  • Confirm encryption details in Business Associate Agreement

Common Encryption Implementation Mistakes

Mistake: Encryption enabled but keys stored on same system

Impact: If attacker gains access to system, they can decrypt data

Solution: Store encryption keys separately using key management system (KMS) or hardware security module (HSM)

Mistake: Inconsistent encryption across environments

Impact: PHI may be encrypted in production but not in test/dev

Solution: Apply same encryption standards to all environments containing PHI, including backups and archives

Mistake: TLS enabled but weak cipher suites allowed

Impact: System vulnerable to downgrade attacks and weak encryption

Solution: Disable weak ciphers, require forward secrecy, use Mozilla SSL Configuration Generator

Mistake: Encrypting data but not authenticating connections

Impact: Susceptible to man-in-the-middle attacks

Solution: Implement mutual authentication, certificate validation, and certificate pinning

Mistake: No encryption key rotation policy

Impact: Increased risk if key is compromised over time

Solution: Implement automated key rotation every 12-24 months minimum

Is Your Encryption Implementation Compliant?

Our compliance assessment includes detailed questions about your encryption implementation for data at rest and in transit. Identify gaps and get specific recommendations for achieving compliance.