HIPAA encryption best practices

Is HIPAA encryption required?

HIPAA encryption isn’t technically mandatory under the Health Insurance Portability and Accountability Act. That said, the Health and Human Services’ Security Rule stipulates that encryption should be implemented if an entity finds it would safeguard electronic PHI, it. Otherwise, it needs to implement an alternative to HIPAA encryption—and document why it did so. Documenting is important, especially in the case an audit by the Office for Civil Rights. So encryption (or its equivalent) is required if it’s reasonable and appropriate to encrypt—which it usually is. Basically, HIPAA says there are only two ways to safeguard against the misuse of PHI: Encrypt it, or burn it.

Why is HIPAA so vague?

We know it’s frustrating, but we’re not sure why it’s so vague on the topic of HIPAA encryption. That’s why it’s important to do more than check the box on compliance by focusing on solutions that provide real security.

What is HIPAA encryption, anyway?

At this point, it’s probably worthwhile to explain just what encryption is. Encryption converts regular, readable text into encoded text. The text is encrypted by means of an algorithm. Only people who have the appropriate encryption key would be able to decrypt, or translate, the text into its original, comprehensible version. The strongest, industry-leading standard for at-rest data—and the standard Sookasa uses—is AES 256-bit encryption.

Encryption tends to be an effective means by which entities beholden to HIPAA can secure protected health information, which is why so many implement it. But there are a number of different HIPAA encryption methods.

The main thing that encryption mitigates is unauthorized access to information—especially on lost or stolen devices. You no doubt have read countless cases of breaches that were reported because laptops rife with unencrypted data were stolen. The worst part? Without encryption or auditability, it’s not even clear what happens to various files. HIPAA encryption solutions, especially file-level encryption, which we’ll explain in more detail below, are meant to minimize this risk, because the protections should follow your sensitive data no matter where it resides.

What are the different methods of HIPAA encryption?

You’ve got options for HIPAA encryption. But—spoiler alert!—we think file encryption is the most fool-proof, and therefore best from a compliance perspective. That’s why Sookasa uses file-level encryption to protect your most sensitive information in the cloud.

  • Full-Disk Encryption: This method encrypts all the data on a computer’s hard drive, including the computer’s operating system. Access is restricted through user authentication. All the information encrypted using full-disk encryption on an unbooted computer is protected. But when it is booted, full-disk encryption doesn’t provide protection; once the operating system loads, it takes over the responsibility of protecting information.
    • Caveat encryptor! Full disk encryption often cannot protect files copied or moved from the encrypted storage to another location (either local or on the network), because the files are automatically decrypted as part of the process.
  • Virtual Disk Encryption: You might find this approach on all types of end-user device storage. This method encrypts things called containers, which hold many files and folders. Users need to be authenticated to access the containers. Once they do so, the container is mounted as a virtual disk.


  • File Encryption. File-level encryption enables users to encrypt specific files and folders with a unique key. This means the information is unavailable to unauthorized viewers. Importantly, files encrypted in this way remain protected regardless of where they are stored, because you’re encrypting more than just the place where it resides or travels. File encryption solutions can mitigate threats involving malware and remote access to protected information.

What about data in transit?

These days, data is designed to move—between colleagues, to billing offices, or between you and patients. So what are HIPAA encryption best practices for data in transit?

  • Introducing the Secure Sockets Layer. SSL is a secure transfer tunnel that means data is encrypted in transit. SSL is used to protect files transferred between the user’s browser and cloud solution, for example, or between the application on a user’s device and the cloud server. This would prevent from someone listening in as your information gets routed across the Internet.

Anything else we should know about HIPAA encryption best practices?

Beyond the encryption mechanism itself, there are a number of best practices for managing your encryption solution. These include:

  • Centrally manage everything: You can make it easier to enforce the security policies you’re working hard to implement by using centralized management. This basically means that you’ve got administrative control over how user devices are configured, updates are installed, and logs are reviewed. At Sookasa, we provide account admins with a centralized, web-based dashboard that gives them full insight into their organization.
  • Leave safety nets for mistakes—there are bound to be errors. The scope of errors should never be a mystery. The best full-service HIPAA encryption tools will help prevent or create solutions for mistakes, by keeping records and offering the ability to revoke keys to recipients.
  • Develop a strategy for managing keys: Do you know where your HIPAA encryption key is? If a key is lost or damaged, you might be out of luck in recovering your encrypted information. That means keys need to be carefully managed. You might want to do it yourself, or you might want to have your storage provider hang on to them.
  • Implement robust user authentication: One of the things nearly all HIPAA encryption solutions hold in common is that users need to authenticate themselves before they’ll be granted access to encrypted data. These methods might be usernames and passwords, personal identification numbers, cryptographic tokens, biometrics, or smart cards. The best advice we can give is ensuring that the authentication methods are unique—or possibly even include two-factor authentication.
  • Educate your team and patients. Many mistakes can be avoided by making people aware of expectations and precautions they can take, like physically protecting their devices or promptly reporting device loss and theft.
  • Encrypt what you need—not just everything in sight. It isn’t necessary — and maybe even inappropriate — to treat all information equally. Flexible solutions that allow you to set permissions according to their sensitivity are ideal.

But HIPAA compliance is about more than mere HIPAA encryption. There are other, related best practices you can find her