⚠️ January 2025 HIPAA Security Rule Updates Now in Effect
HIPAA Ready Check
HIPAA Compliance Guide

HIPAA Encryption Requirements

Complete guide to encryption requirements for data at rest and in transit under 45 CFR 164.312. Learn standards, implementation, and how encryption provides safe harbor from breach notification.

Why Encryption is Essential

While encryption is currently an "addressable" specification under HIPAA, it provides the strongest protection for ePHI and creates safe harbor from breach notification requirements.

Benefits of Encryption

  • Safe harbor: Encrypted ePHI breaches don't require notification
  • Protects data even if physical security fails
  • Meets industry standards and customer expectations
  • Reduces risk of unauthorized access and data theft
  • Demonstrates strong security posture to regulators

2025 Update: Mandatory Encryption

The proposed 2025 HIPAA Security Rule updates would make encryption REQUIRED (not addressable) for all ePHI at rest and in transit. Organizations should implement encryption now to prepare for this change and benefit from immediate security improvements.

Data at Rest vs. Data in Transit

HIPAA addresses two types of encryption: protecting stored data and protecting data being transmitted.

Data at Rest

Encryption of ePHI stored on any media, whether physical or cloud-based.

Where to Apply:

  • Workstation hard drives and SSDs
  • Laptops and portable computers
  • Mobile devices (smartphones, tablets)
  • Servers and data centers
  • Cloud storage (AWS, Azure, Google Cloud)
  • Backup tapes and external drives
  • USB drives and removable media
  • Email archives and databases

Recommended Standards:

  • AES-256 (Advanced Encryption Standard)
  • AES-128 (minimum acceptable)
  • Full disk encryption (FDE)
  • File-level or database encryption
  • Transparent Data Encryption (TDE) for databases
Data in Transit

Encryption of ePHI while being transmitted over networks or the internet.

Where to Apply:

  • Email communications containing PHI
  • Web applications and patient portals
  • Remote desktop and VPN connections
  • File transfers (FTP, SFTP)
  • API communications
  • Mobile app data transmission
  • Fax over IP (eFax)
  • Backup and replication traffic

Recommended Standards:

  • TLS 1.2 or higher (Transport Layer Security)
  • HTTPS for web traffic
  • S/MIME or PGP for email encryption
  • VPN with strong encryption (IPsec, SSL/TLS)
  • SFTP or SCP for file transfers
  • Encrypted messaging platforms

How to Implement Encryption

Follow these steps to implement comprehensive encryption across your organization.

1
Inventory All ePHI Storage and Transmission

Identify every location where ePHI is stored and every method of transmission.

  • Document all devices storing ePHI
  • Map all network communication paths
  • Identify third-party systems and integrations
  • Review backup and disaster recovery processes
  • Assess mobile and remote access scenarios
2
Select Appropriate Encryption Technologies

Choose encryption solutions that meet HIPAA guidance and industry standards.

  • Select AES-256 for data at rest
  • Implement TLS 1.2+ for data in transit
  • Choose NIST-validated cryptographic modules when possible
  • Ensure encryption is FIPS 140-2 compliant (recommended)
  • Evaluate vendor encryption capabilities for cloud services
3
Implement Encryption Controls

Deploy encryption across all identified ePHI storage and transmission points.

  • Enable full disk encryption on all endpoints
  • Configure database encryption (TDE)
  • Enforce HTTPS/TLS for all web applications
  • Implement secure email encryption
  • Encrypt cloud storage buckets and volumes
  • Enable encryption for mobile device management (MDM)
4
Manage Encryption Keys Securely

Establish robust key management practices to protect encryption keys.

  • Use dedicated key management systems (KMS)
  • Separate key storage from encrypted data
  • Implement key rotation policies
  • Control access to encryption keys
  • Maintain key backup and recovery procedures
  • Document key management procedures
5
Test and Validate Encryption

Verify that encryption is working properly across all systems.

  • Test encrypted communications end-to-end
  • Verify encryption strength and algorithms
  • Conduct penetration testing
  • Validate key recovery procedures
  • Review encryption logs and monitoring
6
Maintain and Monitor Encryption

Continuously monitor and update encryption implementations.

  • Monitor encryption status across devices
  • Alert on encryption failures or disabled encryption
  • Update encryption protocols as standards evolve
  • Re-encrypt data when keys are rotated
  • Document encryption in risk assessments

When Can You Skip Encryption? (Addressable Status)

Because encryption is currently "addressable," you can choose not to implement it IF you document why it's not reasonable and appropriate and implement equivalent alternatives. However, this is increasingly difficult to justify.

Internal Network Communications
Addressable

If your risk assessment determines that your internal network is sufficiently secure (e.g., air-gapped, physically secured, no external access), you may determine that encryption in transit is not necessary for internal communications. However, this is becoming increasingly difficult to justify given modern network complexity and the 2025 HIPAA updates proposing mandatory encryption.

Legacy Systems Unable to Support Encryption
Addressable

If you have legacy systems that cannot support encryption, you must document why encryption is not reasonable and appropriate, and implement equivalent alternative measures such as physical security, network segmentation, or limited access. Plan to replace or upgrade these systems as soon as feasible.

Performance Concerns
Addressable

Performance impact is generally not an acceptable reason to skip encryption with modern hardware and encryption algorithms. If performance is a concern, you can use hardware-accelerated encryption, optimize encryption implementations, or upgrade infrastructure. Document performance testing and mitigation measures.

Important Note

With modern encryption technologies being widely available, cost-effective, and having minimal performance impact, it is very difficult to justify not implementing encryption. HHS expects encryption for ePHI in nearly all circumstances. The proposed 2025 updates would eliminate the addressable status entirely, making encryption mandatory.

HIPAA Regulatory References

45 CFR 164.312(a)(2)(iv)

Encryption and Decryption for Data at Rest (Addressable)

45 CFR 164.312(e)(2)(ii)

Encryption for Data in Transit (Addressable)

45 CFR 164.402

Breach definition (encryption safe harbor)

NIST SP 800-111

Guide to Storage Encryption Technologies

Frequently Asked Questions

Related Guides

Access Controls & Authentication

Learn about implementing MFA and role-based access controls to complement your encryption strategy.

2025 Encryption Standards

Understand the new mandatory encryption requirements and enhanced standards effective in 2025.

Implement Comprehensive Encryption

Get expert guidance on encryption strategy, implementation, and key management for your HIPAA compliance program.