The process of encoding ePHI using an algorithmic process that transforms it into an unusable form without the proper decryption key.
Encryption is the process of converting electronic protected health information (ePHI) into a coded format that is unreadable without the appropriate decryption key. Under the HIPAA Security Rule, encryption is classified as an addressable specification for both data at rest and data in transit. While "addressable" means organizations must assess whether encryption is reasonable and appropriate, in practice, encryption is widely considered an essential security control. The vast majority of healthcare organizations implement encryption because it provides one of the most effective protections against unauthorized access to ePHI and because of the significant safe harbor benefit it offers.
HIPAA does not mandate specific encryption algorithms but references NIST (National Institute of Standards and Technology) publications for guidance. For data at rest, NIST recommends AES (Advanced Encryption Standard) with 128-bit or 256-bit keys. For data in transit, TLS (Transport Layer Security) version 1.2 or higher is the standard for protecting ePHI transmitted over networks. Organizations should encrypt ePHI on all devices including servers, workstations, laptops, mobile devices, and removable media. Full-disk encryption protects data if a device is lost or stolen, while file-level or database-level encryption provides additional granularity for access control.
One of the most compelling reasons to implement encryption is the safe harbor provision under the Breach Notification Rule. When ePHI is encrypted using methods consistent with NIST guidance and the encryption keys have not been compromised, the data is considered "secured" under HIPAA. If secured (encrypted) ePHI is accessed without authorization, it does not trigger breach notification requirements because the data is unusable, unreadable, and indecipherable to the unauthorized person. This safe harbor can save organizations from the substantial costs and reputational damage associated with breach notification, making encryption one of the most cost-effective risk mitigation strategies available.