HIPAA Encryption Requirements
Updated March 2026 · HIPAA Security Rule 45 CFR 164.312
HIPAA Encryption at a Glance
AES-256
Industry standard for encrypting ePHI at rest
TLS 1.2+
Minimum protocol version for ePHI in transit
68%
Of breaches involve unencrypted devices or transmissions
HIPAA’s Security Rule at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii) classifies encryption as an addressable implementation specification — not optional. “Addressable” means you must implement encryption or document an equivalent alternative safeguard and the reasoning behind it. In practice, nearly every auditor and OCR investigator treats encryption as a de facto requirement because no equivalent alternative provides comparable protection.
The proposed 2026 Security Rule update goes further: it would reclassify encryption from addressable to required for all ePHI, eliminate the distinction between required and addressable specifications entirely, and mandate MFA for all systems accessing ePHI. This guide breaks down exactly what you need to implement today — and what’s coming next.
“Addressable” Does Not Mean Optional
The single biggest misconception in HIPAA compliance is that “addressable” means optional. Under 45 CFR 164.306(d)(3), covered entities must follow a specific decision process for every addressable specification:
Option A: Implement the specification
Deploy encryption as described. Document what you implemented and when. This is the path 95%+ of organizations take for encryption.
Option B: Implement an equivalent alternative
If encryption is not reasonable and appropriate, implement an alternative measure that achieves the same protective purpose. Document the rationale and the alternative chosen.
Option C: Do not implement (high risk)
Only if the specification is not reasonable and appropriate and no equivalent alternative exists. You must document the risk analysis justifying this decision. OCR almost never accepts this for encryption.
“In 20 years of enforcement, OCR has never accepted ‘encryption is not reasonable’ as a valid justification for a covered entity with internet-connected systems.”
— Common observation from HIPAA compliance consultants
Encrypting Data at Rest
Data at rest is any ePHI stored on a physical medium — hard drives, SSDs, USB sticks, backup tapes, or cloud storage volumes. The standard referenced by HIPAA is NIST SP 800-111 (Guide to Storage Encryption Technologies). In practice, this means AES-256 encryption with XTS mode for full-disk encryption.
| Device / Storage | Solution | Standard |
|---|---|---|
Windows laptops / desktops | BitLocker (built-in, free) | AES-256, XTS mode |
macOS laptops / desktops | FileVault 2 (built-in, free) | AES-256, XTS mode |
Linux workstations | LUKS / dm-crypt | AES-256, XTS mode |
USB drives / portable media | BitLocker To Go or VeraCrypt | AES-256 |
Database servers | TDE (SQL Server, Oracle, MySQL) | AES-256 |
Cloud storage (AWS, Azure, GCP) | Server-side encryption (SSE) | AES-256, customer-managed keys recommended |
Data-at-rest encryption checklist
- Enable full-disk encryption on every device that stores ePHI
- Use pre-boot authentication (PIN or password before OS loads)
- Enable remote wipe capability for all mobile devices and laptops
- Encrypt database backups — not just the live database
- Store encryption keys separately from encrypted data
- Rotate encryption keys annually or after personnel changes
- Document all encryption implementations in your security policies
Lost or stolen devices account for a significant share of HIPAA breaches. If a laptop with properly documented encryption is stolen, it qualifies for the breach safe harbor under 45 CFR 164.402(2). No breach notification is required if the data was encrypted and the key was not compromised.
Encrypting Data in Transit
Data in transit is ePHI moving across a network — between a browser and server, between email systems, or between your EHR and a clearinghouse. The governing NIST standard is NIST SP 800-52 (Guidelines for TLS Implementations). The minimum acceptable protocol is TLS 1.2, with TLS 1.3 strongly recommended.
TLS 1.0
Deprecated
Released 1999
TLS 1.1
Deprecated
Released 2006
TLS 1.2
Acceptable
Released 2008
TLS 1.3
Recommended
Released 2018
Email containing ePHI
TLS 1.2+ enforced, or S/MIME / PGP end-to-end encryption
Standard Gmail and Outlook do NOT meet this without additional configuration
Web portals & patient-facing apps
TLS 1.2+ with HSTS headers, forward secrecy ciphers
Disable TLS 1.0 and 1.1 entirely — they contain known vulnerabilities
Messaging & chat platforms
End-to-end encryption with BAA from vendor
Standard WhatsApp, iMessage, and SMS do NOT qualify
Telehealth / video conferencing
AES-256 encryption, BAA required from platform vendor
Consumer Zoom does not qualify — only Zoom for Healthcare with BAA
For detailed guidance on specific platforms, see our guides on whether Gmail is HIPAA compliant, Zoom meets HIPAA standards, or our comparison of HIPAA-compliant email providers.
HIPAA Password Requirements
HIPAA itself does not prescribe specific password complexity rules. Instead, the Security Rule at 45 CFR 164.312(d) requires “procedures for verifying that a person or entity seeking access to ePHI is the one claimed.” The de facto standard for meeting this is NIST SP 800-63B (Digital Identity Guidelines), which HHS explicitly references in enforcement guidance.
NIST 800-63B Recommendations
- Require a minimum of 12 characters (15+ recommended for admin accounts)
- Allow passwords up to at least 64 characters
- Allow all printable ASCII characters, spaces, and Unicode
- Screen new passwords against known-breached password lists
- Use salted hashing (bcrypt, scrypt, or Argon2id) for storage
- Lock accounts after a defined number of consecutive failures
- Require password changes only when compromise is suspected
Outdated Practices to Eliminate
- Do NOT require periodic rotation (e.g., every 90 days) without cause
- Do NOT impose arbitrary composition rules (uppercase + number + symbol)
- Do NOT use password hints or knowledge-based recovery questions
- Do NOT truncate or silently limit password length
- Do NOT store passwords in plaintext or reversible encryption
- Do NOT send passwords via email or unencrypted channels
The single most impactful change: stop forcing 90-day password rotations. NIST research shows that mandatory rotation leads to weaker passwords (users choose predictable patterns like Spring2026! → Summer2026!). Instead, pair strong initial passwords with ongoing security awareness training and credential monitoring.
MFA: Current Status & 2026 Rule Update
Today, MFA is not explicitly named in the HIPAA Security Rule. It falls under the “access control” standard at 45 CFR 164.312(a)(1). However, virtually every OCR resolution agreement since 2020 has included MFA as a corrective action item. The message is clear: single-factor authentication is no longer acceptable.
Proposed 2026 Security Rule Update
The HHS Notice of Proposed Rulemaking (NPRM) published in January 2025 would make MFA mandatory for all access to ePHI — no exceptions, no addressable workarounds. The final rule is expected by mid-2026, with a compliance deadline approximately 180 days after publication. Start planning now.
The three authentication factor categories
Something you know
Password, PIN, security phrase
Weakest alone — subject to phishing, reuse, brute force
Something you have
Hardware security key (FIDO2), authenticator app, smart card
Strong — physical possession required, resistant to remote attacks
Something you are
Fingerprint, facial recognition, iris scan
Strongest — cannot be transferred, lost, or forgotten
For small practices, the most cost-effective MFA approach is combining passwords with a free authenticator app (Google Authenticator, Microsoft Authenticator, or Duo). Hardware keys (YubiKey, Titan) add stronger phishing resistance for admin accounts. Ensure your business associate agreements require MFA from all vendors accessing your ePHI.
HIPAA Firewall Requirements
The Security Rule does not use the word “firewall” explicitly, but 45 CFR 164.312(e)(1) requires “technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network.” Firewalls are the primary mechanism for meeting this requirement. OCR expects a defense-in-depth approach with multiple layers.
Perimeter firewall
NIST SP 800-41 Rev 1Hardware firewall appliance at the network edge. Required for any practice with internet connectivity. Configure stateful packet inspection, deny-by-default rules, and separate DMZ for public-facing services.
Network segmentation
45 CFR 164.312(e)(1)Isolate ePHI systems on a separate VLAN from guest WiFi, IoT devices, and general office traffic. A breach in your waiting room WiFi should never reach your EHR server.
Host-based firewalls
NIST SP 800-41 Rev 1Enable the OS-level firewall (Windows Defender Firewall, macOS Application Firewall) on every endpoint. This provides defense-in-depth even inside your trusted network.
Web application firewall (WAF)
NIST SP 800-44Required for any patient portal or web application handling ePHI. Protects against SQL injection, XSS, and other OWASP Top 10 threats.
Firewall logging & monitoring
- Log all inbound and outbound connections at the perimeter firewall
- Retain firewall logs for a minimum of 6 years (HIPAA retention requirement)
- Review logs at least weekly — automated alerting is strongly recommended
- Monitor for unusual traffic patterns (large data exports, connections to unknown IPs)
- Document your firewall rule set and review it quarterly
Document your entire network architecture as part of your risk assessment. The proposed 2026 rule would require network segmentation maps and annual penetration testing for all covered entities.
The Encryption Safe Harbor
Perhaps the single strongest business case for encryption: the HITECH Act breach safe harbor at 45 CFR 164.402(2). If ePHI is encrypted in accordance with HHS guidance and the encryption key was not compromised, the data is considered “unsecured PHI” exception — meaning no breach notification is required.
Encrypted Device Lost
- • Laptop with BitLocker AES-256 stolen from car
- • Encryption key stored separately (not on device)
- • Result: No breach notification required
- • Cost: ~$1,500 (replacement device)
Unencrypted Device Lost
- • Same laptop stolen, no encryption enabled
- • 3,200 patient records accessible on the hard drive
- • Result: Full breach notification required
- • Cost: $150,000+ (notifications, credit monitoring, OCR investigation, potential fine)
To qualify for the safe harbor, your encryption must meet the standards specified in HHS Guidance (Federal Register Vol. 74, No. 79): NIST SP 800-111 for data at rest and NIST SP 800-52 for data in transit. Self-built or unvalidated encryption schemes do not qualify. Organizations with the 2021 HITECH amendment (HR 7898) protections can further reduce penalties by demonstrating recognized security practices, including NIST-compliant encryption, for at least 12 months prior to an incident.
Implementation Guide for Small Practices
You do not need a six-figure security budget. Most small practices can achieve full encryption compliance using built-in tools and free software. Follow these steps in order — each builds on the previous.
Enable full-disk encryption on every device
BitLocker (Windows Pro/Enterprise) and FileVault (macOS) are free and built-in. Enable on every workstation, laptop, and any external drives used for backups.
Enforce TLS 1.2+ on email and web portals
Verify your email provider supports enforced TLS (not opportunistic). For patient portals, confirm your hosting uses a valid SSL/TLS certificate and has disabled TLS 1.0/1.1.
Deploy MFA on all systems with ePHI access
Enable MFA on your EHR, email, cloud storage, and any remote access tools. Google Authenticator or Microsoft Authenticator are free. For higher security, use hardware keys for admin accounts.
Update password policies to NIST 800-63B
Set minimum 12-character passwords, eliminate forced rotation, screen against breached password lists (haveibeenpwned API is free), and implement account lockout after 5-10 failed attempts.
Configure and verify firewall rules
Confirm your internet router has firewall enabled with deny-by-default. Segment guest WiFi from clinical systems. Enable logging and set a calendar reminder for weekly log review.
Document everything
Record what encryption you use, on which devices, when it was configured, and who is responsible. Store documentation alongside your risk assessment — OCR will ask for both.
“The biggest compliance risk for small practices isn’t cost — it’s inaction. Every tool on this list is either free or under $1,000. The average HIPAA fine for a small practice exceeds $50,000.”
Once you’ve completed these steps, validate your posture with a HIPAA compliance checklist and schedule a full risk assessment if you haven’t completed one in the last 12 months.
Encryption Quick Reference
Verify your encryption posture today
Run a HIPAA risk assessment to identify encryption gaps, then walk through the compliance checklist to confirm every safeguard is documented. Encryption without documentation is a finding waiting to happen.
Related Tools & Guides
HIPAA Risk Assessment Tool
Identify encryption gaps and document your security posture for OCR.
HIPAA Compliance Checklist
Interactive checklist covering Privacy, Security, and Breach Notification Rules.
Best HIPAA-Compliant Email Providers
Side-by-side comparison of email services with enforced TLS and BAA support.
HIPAA Breach Notification Rules
Timelines, thresholds, and the encryption safe harbor explained.
Business Associate Agreement Template
Ensure your vendors meet encryption and security requirements.