Comparison · Privacy

Encryption at Rest vs in Transit

Encryption at rest protects ePHI stored on disks, drives, and backups. Encryption in transit protects ePHI moving across networks. HIPAA requires evaluation of both as addressable specifications.

Last reviewed May 24, 2026

Side by side

Option A

Encryption at Rest

Cryptographic protection applied to ePHI while it is stored — on disk, in a database, on backup media, or on a removable device.

45 CFR 164.312(a)(2)(iv)
  • Addressable specification at 45 CFR 164.312(a)(2)(iv).
  • NIST SP 800-111 covers storage encryption guidance.
  • Renders ePHI unusable to unauthorized individuals if media is lost or stolen — the HHS Breach Safe Harbor.
Option B

Encryption in Transit

Cryptographic protection applied to ePHI while it moves across a network — between systems, devices, or organizations.

45 CFR 164.312(e)(2)(ii)
  • Addressable specification at 45 CFR 164.312(e)(2)(ii).
  • NIST SP 800-52 Rev. 2 specifies TLS configurations.
  • Required for email containing PHI sent over open networks unless an exception applies.
When applied
At RestData on disk or media
In TransitData moving across a network
HIPAA citation
At Rest45 CFR 164.312(a)(2)(iv)
In Transit45 CFR 164.312(e)(2)(ii)
NIST guidance
At RestSP 800-111
In TransitSP 800-52 Rev. 2 (TLS)
Breach Safe Harbor
At RestYes — if NIST-acceptable encryption was applied
In TransitYes — if NIST-acceptable encryption was applied

When to use Encryption at Rest

  • Configuring EHR database encryption, full-disk encryption on laptops, encrypted backups.

When to use Encryption in Transit

  • Configuring TLS on the patient portal, encrypting email to external recipients, SFTP for claim files.

Common mistakes

  • Treating either as optional — both are addressable, meaning the practice must implement or document why an equivalent measure is reasonable.
  • Using outdated TLS versions (1.0/1.1) and assuming the connection is encrypted.
  • Forgetting backup media — unencrypted USB or tape backup is a frequent breach source.

Sources

Take it into the workspace

Document encryption controls in SRA Studio

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.