Does HIPAA require encryption?

11. Does HIPAA require encryption and can you provide guidance on this topic for Covered Entities (CE) and Business Associates (BA)?

Answer: Yes, HIPAA does require encryption as stated within the following 164.312 HIPAA Security Rule provisions:

  • 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.
  • 164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Also keep in mind that both of the above provisions with in HIPAA are listed as “addressable”, which technically means the following, according to the United States Department of Health and Human Services:

If an implementation specification is described as “required,” the specification must be implemented. The concept of "addressable” was essentially put forth to provide healthcare organizations additional flexibility with respect to compliance with the security standards.

Therefore, according to HHS, in meeting standards containing addressable implementation specifications, Covered Entities (CE) and Business Associates (BA) must do one of the following for each addressable specification:

  • Implement the addressable implementation specifications;
  • Implement one or more alternative security measures to accomplish the same purpose;
  • Not implement either an addressable implementation specification or an alternative.


HIPAA Encryption | Addressable vs. Required | What You Need to Know
However, let’s be very clear on one item – in today’s world of regulatory compliance, just remember that “addressable” really means “required”, and for some obvious reasons. First and foremost, most of the “addressable” items are nothing more than information security best practices, so they really should be in place. Second, to effectively ensure the safety and security of Protected Health Information (PHI), many – if not all – of the “addressable” items are going to have to be in place. Think about it, how can a Covered Entity or Business Associate not use encryption in today’s world of increasing cyber security attacks? After all, if you store, process, and/or transmit Protected Health Information (PHI), using encryption is an absolute must!

By making all the “addressable” items required, you’re putting in place the best practices that should be in place anyways! There are many other items listed as “addressable” which in today’s world of cyber security threats are just not sufficient for ensuring the safety and security of PHI, so make sure all the “addressable” items – encryption being an important one – are in place with no conditions. And consider this for food for thought – many of the HIPAA mandates were written literally years ago, so what may have been considered an information technology “luxury” back then, is now commonplace for all businesses that store, process, and/or transmit Protected Health Information (PHI). Times change – as the old saying goes – so do the requirements for ensuring the safety and security of PHI. So does HIPAA require encryption – that is a YES.

Download HIPAA Policies and Toolkits Today also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policy documentation, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.

If your organization is in need of a HIPAA audit, and or SSAE 16 SOC 1, and SOC 2 assessments that include testing of HIPAA provisions & mandates, please contact Charles Denyer at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 705 with the NDB Alliance of Firms. Learn more about NDB by visiting today.