The Security Rule for the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), does not require that Electronic Protected Health Information (EPHI) be encrypted. Encryption of personal health is not mandatory, but may be an addressable specification - meaning that an entity must assess if it's a reasonably required in particular circumstances. The HIPAA Security Rule is codified under 45 CFR 164.312, which sets down four guidelines for the security of patient data.
1. User IDs must track who accesses EPHI. Implementing this measure is required.
2. There must be a way to access EPHI in an emergency. Implementing this measure is required.
3. Automatic logoffs can terminate access to EPHI. Entities must address whether or not this measure is necessary.
4. Encryption is an addressable measure.
It also necessary to address if security audits are needed to detect the improper alteration or disposal of EPHI.