Does HIPAA Require the Encryption of EPHI?

The Security Rule for the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), does not require that Electronic Protected Health Information (EPHI) be encrypted. Encryption of personal health is not mandatory, but may be an addressable specification - meaning that an entity must assess if it's a reasonably required in particular circumstances. The HIPAA Security Rule is codified under 45 CFR 164.312, which sets down four guidelines for the security of patient data.

1. User IDs must track who accesses EPHI. Implementing this measure is required.

2. There must be a way to access EPHI in an emergency. Implementing this measure is required.

3. Automatic logoffs can terminate access to EPHI. Entities must address whether or not this measure is necessary.

4. Encryption is an addressable measure.

It also necessary to address if security audits are needed to detect the improper alteration or disposal of EPHI.


Recent Posts

See All

Relativity Security White Paper

The security white paper for Relativity, Understanding Security in RelativityOne, is available for download here. It was released in February 2019. Keep the following points in mind about Relativity

Enforce HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is used for secure communications on networks and over the internet. It uses the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocol. An

Contact Me With Your Litigation Support Questions:

  • Twitter Long Shadow

© 2015 by Sean O'Shea . Proudly created with