Healthcare Encryption Checklist: Essential Steps to Protect PHI and Meet HIPAA Requirements

Protecting protected health information (PHI) hinges on strong, well-managed encryption. This checklist walks you through practical steps to align with the HIPAA Security Rule while applying NIST Encryption Standards to safeguard ePHI across systems, networks, and endpoints.

Use it to confirm what you already do, identify gaps, and prioritize actions that reduce risk without disrupting care delivery.

HIPAA Encryption Requirements

Under the HIPAA Security Rule, encryption for ePHI is an addressable safeguard—meaning you must implement it when reasonable and appropriate, or document an equivalent alternative and the risk-based rationale. In practice, encryption is expected for both data at rest and data in transit wherever PHI could be exposed.

• Map where PHI resides and flows, including EHRs, imaging, portals, messaging, backups, and analytics pipelines.
• Adopt NIST Encryption Standards (for example, AES-256 for storage and TLS 1.3 Protocol for network connections) to ensure interoperable, vetted cryptography.
• Define when exceptions apply, document compensating controls, and revisit them after system or threat changes.
• Embed encryption decisions into policies, procedures, vendor contracts, and change management.
• Train workforce members to handle encrypted data, keys, and recovery steps without creating new risks.

Encryption for Data at Rest

Databases and structured PHI

Use AES-256 Encryption with modern modes to protect databases containing ePHI. Enable Transparent Data Encryption to encrypt files, logs, and backups at the database layer with minimal application changes.

• Turn on Transparent Data Encryption for EHR, billing, and patient-portal databases to protect files and snapshots.
• Encrypt application secrets and PHI-related configuration parameters outside code repositories.
• Segment high-risk datasets and limit query access to the minimum necessary.

Files, images, and unstructured PHI

Medical images, documents, and exports require consistent, enforceable storage encryption. Combine full-disk/volume encryption with file-level controls for sensitive exports and clinician workstations.

• Enable volume or filesystem encryption on servers, NAS/SAN, and object storage buckets storing PHI.
• Apply file-level encryption for exports shared with researchers or external providers.
• Restrict decryption to authorized processes; prohibit ad hoc local copies of PHI.

Backups, archives, and removable media

Backups are prime targets because they aggregate long histories of PHI. Treat Backup Media Encryption as non-negotiable, including offsite copies and cloud snapshots.

• Encrypt all backup sets at the source and again at rest in target repositories.
• Store keys separately from backup media; test restore procedures without weakening key controls.
• Encrypt removable media and securely wipe or destroy retired drives and tapes.

Encryption for Data in Transit

Web, APIs, and services

Standardize on the TLS 1.3 Protocol for portals, APIs, and interoperability services to gain modern cipher suites and forward secrecy. For legacy dependencies, allow tightly constrained TLS 1.2 only with strong AEAD ciphers.

• Require TLS 1.3, disable obsolete protocols and ciphers, and enable certificate transparency and strict revocation checking.
• Use mutual TLS (mTLS) between internal services and when exchanging PHI with trusted partners.
• Enforce HSTS on patient- and clinician-facing web applications.

Email, file transfer, and messaging

TLS protects the channel, not the message once it leaves secure systems. For PHI over email or file transfer, apply end-to-end protections or secure portals.

• Enable SMTP TLS for gateway-to-gateway encryption; use S/MIME or PGP for message-level protection when required.
• Standardize on SFTP/FTPS for transfers and prohibit unencrypted FTP/HTTP.
• Use secure messaging platforms that apply strong, modern cryptography and access controls.

Networks, telehealth, and mobility

Protect east–west traffic and remote access paths to prevent lateral movement and ePHI interception.

• Use IPsec or WireGuard-based VPNs for site-to-site and remote admin connectivity.
• For telehealth, use platforms that employ SRTP with robust key exchange to secure audio/video.
• Segment clinical networks and encrypt management channels for IoMT and medical devices where feasible.

Key Management

Strong encryption fails without rigorous key governance. Centralize control with Enterprise Key Management Systems to standardize generation, storage, rotation, and auditing.

• Generate keys using NIST-approved random number generation and store them in HSMs or FIPS-validated modules.
• Rotate keys on a defined schedule and upon suspected compromise; support automated re-encryption where feasible.
• Separate duties for key custodians, security administrators, and system operators; enforce least privilege.
• Version, label, and escrow keys securely; protect backups of keys offline or in hardened vaults.
• Log all key lifecycle events (creation, activation, rotation, destruction) and review regularly.

Endpoint Security

Endpoints often handle PHI at the point of care. Enforce encryption consistently to mitigate loss, theft, or malware risk without blocking clinical workflows.

• Enable full-disk encryption on laptops, tablets, and clinician workstations; require pre-boot authentication.
• Apply mobile device management to enforce device encryption, screen locks, remote wipe, and OS hardening.
• Disable unauthorized removable storage or require automatic encryption of any detachable media.
• Use credential vaults and avoid storing PHI in local application caches whenever possible.

Risk Assessment

Encryption choices must follow a current, documented risk assessment that maps PHI, evaluates threats, and prioritizes controls. Reassess after major changes and at least annually.

• Inventory PHI repositories and data flows; identify where encryption is absent or misconfigured.
• Model threats such as ransomware, credential theft, man-in-the-middle, lost devices, and malicious insiders.
• Quantify impact and likelihood to rank remediation; pilot controls in clinical environments to validate usability.
• Assess third parties and Business Associates for equivalent encryption and key management practices.

Compliance Documentation

Regulators and auditors expect evidence that encryption is implemented, monitored, and governed. Keep documentation actionable and aligned to operations.

• Maintain policies and procedures for data-at-rest, data-in-transit, and key management covering AES-256 Encryption and TLS 1.3 Protocol standards.
• Record system-level configurations, screenshots, and command outputs that prove Transparent Data Encryption, volume encryption, and Backup Media Encryption are enabled.
• Track exceptions with compensating controls, risk acceptance, owners, and review dates.
• Capture training rosters, incident playbooks, tabletop results, and evidence of periodic key rotation.
• Ensure contracts and BAAs specify encryption obligations and the use of Enterprise Key Management Systems.

Summary

Prioritize encryption where PHI concentrates, standardize on NIST Encryption Standards, and centralize keys. Document what you do, verify it routinely, and close gaps quickly—so you protect patients while meeting HIPAA requirements with confidence.

FAQs.

What are the HIPAA encryption requirements?

HIPAA treats encryption as an addressable safeguard under the HIPAA Security Rule: you must implement strong encryption for ePHI at rest and in transit when it is reasonable and appropriate. If you choose an alternative, you must document the risk analysis, compensating controls, and justification. In practice, regulators expect NIST-aligned encryption and clear evidence that it is configured, monitored, and maintained.

How do you encrypt data at rest in healthcare?

Use AES-256 Encryption as your baseline. Turn on Transparent Data Encryption for databases, apply full-disk or volume encryption on servers and endpoints, and use file-level encryption for exported PHI. Do not overlook Backup Media Encryption for tapes, snapshots, and archives. Keep keys in an enterprise KMS or HSM and separate them from the data they protect.

What encryption methods protect data in transit?

Standardize on the TLS 1.3 Protocol for portals, APIs, and service-to-service traffic, enabling modern cipher suites and forward secrecy. Use mutual TLS for trusted partner connections, IPsec or modern VPNs for site-to-site links, and S/MIME or PGP for message-level email protection when required. Prefer SFTP/FTPS over legacy FTP for file transfers.

How should encryption keys be managed securely?

Centralize control with Enterprise Key Management Systems and, where possible, FIPS-validated HSMs. Generate keys using NIST-approved methods, rotate and revoke them on schedule and on events, enforce least-privilege access, and keep auditable logs of the full key lifecycle. Back up keys securely and test recovery so you never trade availability for confidentiality.