HIPAA Encryption Requirements:
How to Protect PHI in 2026
An engineering guide to encrypting protected health information — at rest, in transit, and in use
AES-256 + TLS 1.3 baselines
Key management that passes audit
Field-level encryption patterns
By Garvita Amin· Healthcare Technology Experts
May 11, 2026 · 14 min read
Encryption is the single control that turns a HIPAA breach into a non-event. The Breach Notification Rule has a safe harbor for properly encrypted PHI: if attackers grab ciphertext, the disclosure does not have to be reported. That makes encryption the cheapest, highest-leverage investment in your compliance stack — and the one most teams get subtly wrong. This guide is the engineering version: what HIPAA actually requires, which algorithms pass audit, and how to architect key management so the audit safe harbor actually holds.
What HIPAA Actually Requires for Encryption
HIPAA does not say "use AES-256." The Security Rule speaks the language of risk, not algorithms. The clause every team needs to know is § 164.312(a)(2)(iv) — the Encryption and Decryption standard — paired with § 164.312(e)(2)(ii), which covers transmission security. Both standards used to be classified as "addressable," which gave covered entities room to argue that an alternative control was equivalent. The January 2025 Security Rule update closed that door.
As of 2025 and through 2026, encryption is required — no equivalent alternatives, no addressable opt-out. If your stack stores or transmits electronic PHI, it must be encrypted, full stop. The good news: the Breach Notification Rule offers a safe harbor for PHI that is encrypted to the current NIST standard. A stolen laptop with encrypted disk is a non-event. The same laptop with plaintext PHI is a six-figure OCR settlement.
HIPAA tells you to encrypt. NIST tells you how. The audit safe harbor only applies when both are satisfied — your encryption matches the current NIST guidance, and you can document it.
Where the standard actually lives
NIST Special Publication 800-111 governs encryption for data at rest. SP 800-52 Rev. 2 governs TLS for data in transit. SP 800-57 governs key management. When OCR asks for your encryption documentation, they are looking for direct or indirect references to these documents. (HIPAA fundamentals are in our BAA vs HIPAA explainer; this post drills into the encryption clause specifically.)
The Three States of PHI — and How Each Must Be Encrypted
PHI exists in three states, and each needs a different encryption story. Teams that conflate them either over-engineer one and under-engineer another, or assume that "encrypted at rest" covers everything.
At rest. PHI sitting in a database, object store, backup, log file, cache, message queue, or local file system. Required: AES-256 (or equivalent), with keys managed separately from the data.
In transit. PHI flowing over a network — between services, to a browser, to a third-party API. Required: TLS 1.2 or higher. TLS 1.3 preferred. Forward secrecy on, weak ciphers off.
In use. PHI loaded into application memory, being processed. Traditionally not encrypted, but enclave-based options (AWS Nitro Enclaves, Azure Confidential Computing, Intel SGX) now exist for the highest-sensitivity workloads.
Common Trap — "We're encrypted, the database has SSE on"
Server-side encryption on a database protects against someone walking out with the disk. It does not protect against an over-privileged service account, an SQL injection, a compromised pod, or a leaked backup. For sensitive PHI fields — SSN, MRN, free-text clinical notes — add column- or field-level encryption on top.
Algorithms That Pass Audit (and the Ones That Don't)
HIPAA defers to NIST. NIST's position on each algorithm changes over time. The table below reflects the 2026 baseline. Anything in the "avoid" column will fail a thorough OCR audit, even if it "technically works."
| Purpose | Use | Acceptable | Avoid |
|---|---|---|---|
| Symmetric (bulk data) | AES-256-GCM | AES-128-GCM, AES-256-CBC + HMAC | 3DES, RC4, DES |
| Transport | TLS 1.3 | TLS 1.2 (strong ciphers only) | SSL v2/v3, TLS 1.0/1.1 |
| Hashing (integrity) | SHA-256, SHA-3 | SHA-384, SHA-512 | MD5, SHA-1 |
| Password storage | Argon2id, bcrypt (cost ≥ 12) | scrypt, PBKDF2 (≥ 600k iters) | MD5, SHA-1, plain SHA-256 |
| Asymmetric / key exchange | ECDHE (P-256, X25519) | RSA-2048+ for legacy | RSA-1024, static DH |
| Signatures | ECDSA P-256, Ed25519 | RSA-PSS 2048+ | RSA-PKCS1v1.5 with SHA-1 |
For an end-to-end example of these standards wired into a production build, the patterns in our HIPAA-compliant healthcare app guide ship with these baselines as defaults.
Forward Secrecy Matters
If your TLS configuration does not negotiate an ECDHE-family cipher, an attacker who later steals your private key can decrypt every session they previously recorded. Modern browsers will negotiate forward-secret ciphers by default — but legacy clients and misconfigured load balancers will silently fall back. Test with testssl.sh or SSL Labs.
Key Management — Where Most HIPAA Encryption Stories Fail
Encrypting data without a key management story is theater. If the keys live in the same database as the ciphertext, an attacker who reads the database reads the keys. If keys are in environment variables checked into source control, anyone with git access can decrypt PHI. § 164.312(a)(2)(iv) implicitly requires real key management; § 164.308(a)(3)(ii)(A) makes it explicit by requiring designated key custodians and access control.
90 days
Best-practice key rotation
6 yrs
Key + access log retention
≥ 2
Designated key custodians
Use a managed KMS or an HSM — not a config file
AWS KMS, Google Cloud KMS, and Azure Key Vault are all HIPAA-eligible under their respective cloud BAAs. They handle key storage, rotation, access policy, and audit logging out of the box. For workloads that need FIPS 140-3 Level 3, use a CloudHSM-style hardware security module. Either way, application code never sees the master key — it asks the KMS to perform the decrypt.
Envelope encryption: rotate without re-encrypting petabytes
Envelope encryption uses two layers: a data encryption key (DEK) that encrypts the data, and a key encryption key (KEK) that encrypts the DEK. The KEK lives in the KMS; the encrypted DEK lives next to the ciphertext. To rotate, you re-encrypt the DEK with the new KEK — the underlying data does not have to move. Every cloud KMS supports this pattern; use it.
# AWS KMS — generate a data key and envelope-encrypt a row
$ aws kms generate-data-key \
--key-id alias/health-prod-phi \
--key-spec AES_256
# Returns: Plaintext (use, then discard) and CiphertextBlob (store)
# Decrypt path: aws kms decrypt --ciphertext-blob fileb://dek.binCustomer-managed keys (BYOK) when required by contract
Some healthcare customers — particularly large health systems and government clients — contractually require that they own the master key. BYOK (Bring Your Own Key) lets them import a key generated on their own HSM into your KMS. Decryption still happens server-side, but the customer can revoke the key to render their data unreadable. AWS, GCP, and Azure all support BYOK on their KMS tiers.
Rotation policy you can actually defend
Rotate KEKs at least annually; 90 days is the modern norm for high-sensitivity workloads. Automatic rotation (KMS-managed) is fine for most cases. Document the cadence in your key management policy. The single most common audit finding in this area is "you say you rotate every 90 days, but the KMS console shows the master key has not changed in 2 years." Don't be that team.
Implementation Patterns on AWS, Azure, and GCP
The three major HIPAA-eligible clouds have converged on similar primitives — managed KMS, server-side encryption for storage, TLS termination at the load balancer — with slightly different names and trade-offs. The shortlist below is what teams ship with verticomply. If your AI features touch any of this PHI, the rules in our HIPAA Compliant AI guide apply on top.
| Need | AWS | Azure | GCP |
|---|---|---|---|
| Managed KMS | AWS KMS | Key Vault | Cloud KMS |
| HSM (FIPS 140-3 L3) | CloudHSM | Managed HSM | Cloud HSM |
| Object store SSE | S3 SSE-KMS | Storage SSE-CMK | GCS CMEK |
| Relational DB at rest | RDS + KMS CMK | SQL TDE + Key Vault | Cloud SQL + CMEK |
| Confidential compute | Nitro Enclaves | Confidential VMs | Confidential VMs |
| BAA-eligible by default |
A reference shape that passes audit
# Postgres / RDS — column-level for high-sensitivity PHI
CREATE EXTENSION pgcrypto;
CREATE TABLE patient (
id uuid PRIMARY KEY,
mrn_encrypted bytea NOT NULL, -- AES-256 via KMS DEK
dek_ciphertext bytea NOT NULL, -- KEK-wrapped DEK
-- Disk encryption (RDS + KMS) sits underneath all of this
...
);
# At read time: KMS.Decrypt(dek_ciphertext) -> plaintext DEK,
# then AES-decrypt mrn_encrypted with DEK in app memory.Verify Region Pinning
A BAA-eligible service in us-east-1 is not automatically BAA-eligible in us-west-2. Read the cloud provider's HIPAA-eligible services list, pin your regions, and add a guardrail (Service Control Policy, Azure Policy, or org policy) that blocks PHI workloads outside those regions.
The HIPAA Encryption Checklist
Walk this before any feature that touches PHI ships. Each item maps directly to a control an OCR auditor will ask about.
Every PHI store (database, object store, backups, queues, caches, log files) is encrypted with AES-256 or equivalent
Every PHI-bearing network call uses TLS 1.2+ with forward-secret ciphers (TLS 1.3 preferred)
Deprecated protocols and ciphers are blocked at the load balancer / gateway, not just discouraged in code
Master keys live in a managed KMS or HSM, not in environment variables or config files
Envelope encryption is in use for any store with rotation requirements
High-sensitivity fields (SSN, MRN, free-text notes) have column- or field-level encryption on top of disk encryption
Key rotation is automated, documented, and verified in the KMS console
At least two named key custodians are designated in your key management policy
Every encrypt and decrypt operation is logged with user, time, key ID, and resource — retained six years
Backups are encrypted with the same standard as live data; restore tests verify decryptability
The risk analysis names the encryption algorithm, key length, and key management approach for each PHI store
BAAs are in place with every infrastructure provider that touches PHI or keys
Mistakes That Break the Audit Safe Harbor
Mistake 1: Assuming disk encryption covers everything
Server-side encryption on RDS or S3 protects against the "someone steals the disk" threat. It does nothing for the realistic threats — credential leaks, SQL injection, over-privileged service accounts. For sensitive PHI fields, add application-level encryption that requires a separate KMS call to decrypt.
Mistake 2: Keys in environment variables or source control
A master key checked into a private git repo is still a finding. Worse, the moment any developer's laptop is compromised, every encrypted value in your stack is now plaintext to the attacker. Use a KMS. Always.
Mistake 3: Logging plaintext PHI in error messages
A try/except that logs the exception message, plus an SQL error that includes the queried PHI row, equals plaintext PHI in CloudWatch. Sanitize before logging. Treat your observability pipeline as PHI-eligible infrastructure or scrub at the source.
Mistake 4: Forgetting backups and replicas
The primary database is encrypted. The nightly backup that lands in a different account is not. The read replica that powers analytics is not. Audit every place PHI flows downstream, not just the front-line store. This overlaps with what we cover in HIPAA audit logging — the audit log itself often becomes the leak.
Mistake 5: Manual rotation that never actually happens
"We rotate keys every 90 days" is a policy until it is a ticket nobody picks up. Use the KMS-managed automatic rotation, and verify the rotation date in the console at least quarterly. Auditors check the console, not the policy doc.
Mistake 6: Trusting library defaults without reading the docs
Some popular libraries default to AES-128, ECB mode, or PKCS1v1.5 padding — all weaker than what HIPAA-grade work needs. Read the docs for every crypto primitive you call. Better, prefer high-level libraries (libsodium, AWS Encryption SDK) that make safe defaults the only path.
How to Actually Ship HIPAA Encryption
Inventory every PHI store and flow
List every database, object store, message queue, log, cache, and external integration that handles PHI. Mark whether the data is at rest, in transit, or in use at each step.
Apply the algorithm table to every entry
AES-256-GCM at rest, TLS 1.3 in transit. Anything older requires a remediation ticket and a date.
Move every key into a managed KMS or HSM
Delete every hard-coded key, every env-var key, every "just for now" key file. Rotate after you move — assume the old key is compromised.
Add envelope encryption for any store that needs to scale
Most teams hit rotation pain at gigabytes. Envelope encryption makes the pain go away. Wire it in early.
Add field-level encryption to the top three highest-sensitivity fields
SSN, MRN, free-text clinical notes are the usual suspects. The juice-to-squeeze ratio on field-level encryption for these three is enormous.
Wire encryption operations into your audit log
Every encrypt and decrypt, with user, key ID, resource, time, and outcome. KMSes emit this for free — just make sure you forward it to your SIEM and retain six years.
Document everything in the risk analysis
The artifact OCR will ask for is your written risk analysis (§ 164.308(a)(1)(ii)(A)) plus the key management policy. Both should name algorithms, key lengths, custodians, and rotation cadence.
Frequently Asked Questions
Does HIPAA require encryption?
After the January 2025 Security Rule update, yes. § 164.312(a)(2)(iv) is now required, not addressable. Every covered entity and business associate must encrypt electronic PHI at rest and in transit.
What encryption algorithm does HIPAA require?
HIPAA does not name a specific algorithm, but defers to NIST. The 2026-current baseline is AES-256 for data at rest and TLS 1.2 or higher (1.3 preferred) for data in transit. Algorithms NIST has deprecated — SSL v3, TLS 1.0/1.1, RC4, 3DES, MD5, SHA-1 — fail audit.
Is full-disk encryption enough for HIPAA?
It satisfies the letter of the at-rest standard for that disk, but it does not protect against compromised applications, SQL injection, or over-privileged service accounts. For sensitive PHI fields, add application-level or column-level encryption on top.
How often do I have to rotate encryption keys for HIPAA?
HIPAA does not state a specific interval. NIST SP 800-57 recommends annual rotation at minimum, with 90 days as best practice for high-sensitivity keys. Document your rotation cadence in your key management policy and follow it.
Do I need a BAA with my KMS provider?
Yes if the KMS provider sees, processes, or stores PHI or any data derived from it. Cloud-provider KMSes (AWS KMS, Azure Key Vault, Google Cloud KMS) are covered under the same BAA you sign with the cloud provider. Standalone third-party KMSes require their own BAA.
Is BYOK (Bring Your Own Key) required by HIPAA?
No. HIPAA does not require customer-managed keys. BYOK is a contractual concession to specific customers — usually large health systems or government clients — who want the ability to revoke their key independently of your operations.
What about end-to-end encryption for patient messaging?
End-to-end encryption is excellent for patient messaging and satisfies the in-transit requirement, but you still need to think about message archival. Encrypted messages that you cannot decrypt later may not satisfy your Designated Record Set retention obligations. Plan for both.
Are encrypted backups enough, or do I need to encrypt the export process too?
Both. The backup file must be encrypted at rest, and the network transfer that produces the backup must be encrypted in transit. The most common audit miss is an unencrypted SCP or FTP export to a backup server.
Ship PHI encryption without rolling your own crypto
VertiComply generates healthcare app code with AES-256, TLS 1.3, managed KMS, envelope encryption, and field-level controls for the high-sensitivity fields — wired in by default. You spend your time on the feature, not the cryptographic plumbing.
AES-256 at rest. TLS 1.3 in transit. KMS-managed keys. Audit logs you can hand to OCR.
In This Guide
01
What HIPAA requires for encryption
02
The three states of PHI
03
Algorithms that pass audit
04
Key management architecture
05
AWS / Azure / GCP patterns
06
The encryption checklist
07
Mistakes that break safe harbor
08
How to actually ship it
09
FAQ
Key Numbers
AES bits at rest
256
Preferred TLS version
1.3
Best-practice rotation
90 days
Audit log retention
6 yrs
Glossary
Topics
Related Articles
Continue reading about healthcare compliance and security
How to Build a HIPAA-Compliant Healthcare App Without Code in 2026
The complete 2026 guide to building HIPAA-compliant healthcare apps without code. Covers compliance rules, no-code platforms, what to look for, real costs, common mistakes, and a step-by-step practical sequence for US healthcare startups.
Read article
How to Build a Compliant Healthcare App in 2026
Step-by-step guide to building healthcare apps that meet HIPAA, GDPR, SOC 2 and HITRUST compliance. Covers the 5 essential pillars and AI automation.
Read article
BAA vs HIPAA: Know the Difference (2026 Guide)
BAA vs HIPAA explained in plain English. What each one actually is, why they are not the same thing, who needs a BAA, when it is required, and what happens if you skip it.
Read article