HIPAA Security Rule Encryption: What’s Required and How to Comply

Encryption Requirement Overview

The HIPAA Security Rule requires safeguards to protect electronic protected health information (ePHI). Encryption appears as an addressable implementation specification for both storage and transmission, meaning you must assess your environment and either implement encryption or document why an alternative control manages the risk as well or better.

Practically, regulators expect encryption in transit and encryption at rest for systems that create, receive, maintain, or transmit ePHI. Both covered entities and business associates share responsibility; business associate obligations must clearly assign who encrypts which data, with evidence that the control is operating as intended.

When you use encryption, you reduce the likelihood of unauthorized disclosure and strengthen breach-notification posture. If you choose an alternative, you must show that your cybersecurity safeguards achieve an equivalent level of protection and that the decision is revisited as risks evolve.

Implementing Encryption Mechanisms

Use proven cryptography and validated implementations. For data at rest, favor strong symmetric encryption (for example, AES-256) delivered via full-disk encryption on endpoints, database or volume encryption on servers, and application-layer encryption for sensitive fields. Ensure backups, snapshots, and replicas are encrypted with the same rigor.

For data in transit, enforce modern transport encryption between users, apps, and services. Require TLS 1.2+ (preferably TLS 1.3), disable weak ciphers, and validate certificates across web, APIs, email gateways, and VPNs. For email containing ePHI, use secure messaging, opportunistic or forced TLS, or a patient portal, depending on your risk analysis.

Establish robust key management: centralized key custodianship, hardware- or cloud-backed key management systems, unique keys per environment, rotation schedules, separation of duties, strict access controls, and audit trails. Protect keys separately from encrypted data and implement secure deletion procedures when decommissioning media.

Close operational gaps that undermine encryption. Require multi-factor authentication, least-privilege access, mobile device management with remote wipe, encrypted removable media or its prohibition, and continuous monitoring to verify that encryption controls remain enabled and effective.

Addressable Specification Considerations

“Addressable” does not mean “optional.” It means you decide—through a documented analysis—whether encryption is reasonable and appropriate and, if not, what alternative safeguards will achieve comparable protection. Consider your size, complexity, technical infrastructure, and the probability and impact of threats.

Cost alone is not a sufficient reason to decline encryption. If you justify an alternative, tie it to concrete compensating controls (for example, segmented networks, data minimization, strong access controls, and physical security) and define conditions under which you will revisit the decision, such as new threats, system changes, or expanded data sharing.

In most modern contexts—cloud services, mobile workflows, telehealth, and distributed workforces—encryption at rest and in transit is both feasible and expected. Exceptions should be rare, time-bound, and supported by evidence in your risk analysis documentation.

Conducting Risk Assessments

Begin with an inventory of systems, applications, data stores, and third parties that handle ePHI. Map data flows, including where ePHI is created, transmitted, processed, backed up, and archived. Identify threats and vulnerabilities, then estimate likelihood and impact to establish risk levels.

Evaluate how encryption at rest and encryption in transit would reduce those risks and where additional cybersecurity safeguards are needed. Document decisions in clear risk analysis documentation: assets, threats, current controls, residual risk, selected mitigations, acceptance rationale, and review dates.

Repeat assessments at least annually and upon material changes—system migrations, acquisitions, new integrations, or incidents. Include business associate obligations by assessing vendors’ encryption posture, contract terms, evidence of control operation, and remediation plans when gaps are found.

Exceptions to Encryption Requirements

HIPAA permits you to implement an alternative when encryption is not reasonable and appropriate, provided you can demonstrate equivalent protection. One example is honoring a patient’s request to receive ePHI by unencrypted email after advising the patient of the risks and documenting the preference.

Where end-to-end encryption cannot be achieved due to legacy systems or constrained devices, use layered defenses—strong access controls, segmentation, monitoring, and rapid migration plans—while you work toward encryption. Note that properly encrypted ePHI, with keys uncompromised, can qualify for breach “safe harbor,” reducing notification obligations if a device is lost or stolen.

Documenting Compliance Practices

Maintain written policies and procedures that specify when and how you encrypt ePHI, who is accountable, and what exceptions require approval. Include standards for algorithms, key lengths, key management, certificate handling, device encryption, email handling, and backup protection.

Preserve objective evidence: system configurations, key rotation logs, vulnerability scans, penetration test results, and screenshots or reports showing encryption enabled. Keep risk analysis documentation, risk treatment plans, training records, incident reports, and business associate agreements for at least six years from creation or last effective date.

Ensure change management requires encryption verification before go-live. For third parties, collect assurance artifacts and monitor them periodically to confirm that contractual encryption commitments remain in force.

Preparing for the 2025 Regulatory Update

As regulatory expectations continue to rise in 2025, prepare by closing known gaps rather than waiting for final details. Standardize on modern transport encryption, retire legacy protocols, and ensure universal coverage of encryption at rest across servers, endpoints, mobile devices, and backups.

Strengthen key management with centralized control, hardware-backed protection, automated rotation, and tamper-evident logging. Clarify business associate obligations for encryption and incident reporting, and test end-to-end workflows—from data creation to archival—to verify that ePHI stays encrypted throughout its lifecycle.

Refresh your risk analysis documentation to reflect current threats (such as ransomware and data extortion), system changes, and any new services added in 2025. Validate your incident response plan, including procedures for lost devices, key compromise, and rapid certificate replacement.

Summary: make encryption your default, prove it with evidence, and keep decisions current. If an update alters expectations, you will already be aligned with the spirit and the security outcomes regulators seek.

FAQs

What does the HIPAA Security Rule require for encryption?

Encryption is an addressable implementation specification for protecting ePHI at rest and in transit. You must either implement it where reasonable and appropriate or document an alternative that achieves equivalent protection, along with the rationale and supporting safeguards.

How should entities conduct risk assessments for encryption?

Inventory systems and data flows, analyze threats and vulnerabilities, estimate risk, and determine how encryption reduces that risk. Record decisions as risk analysis documentation, including chosen controls, residual risk, acceptance justifications, and a schedule for periodic review and updates.

Are there exceptions to mandatory encryption under HIPAA?

Yes. If encryption is not reasonable and appropriate in a specific context, you may use an alternative control, provided you document why it offers comparable protection. Limited exceptions include honoring a patient’s informed request for unencrypted communications, with the discussion and preference documented.

How must compliance with encryption requirements be documented?

Maintain policies and procedures, technical standards, configuration evidence, key management records, training logs, incident reports, and signed business associate agreements. Retain these materials for at least six years and update them whenever systems, vendors, or risks materially change.