Encryption at Rest vs in Transit
Encryption at rest protects ePHI stored on disks, drives, and backups. Encryption in transit protects ePHI moving across networks. HIPAA requires evaluation of both as addressable specifications.
Last reviewed May 24, 2026
Side by side
Encryption at Rest
Cryptographic protection applied to ePHI while it is stored — on disk, in a database, on backup media, or on a removable device.
45 CFR 164.312(a)(2)(iv)- Addressable specification at 45 CFR 164.312(a)(2)(iv).
- NIST SP 800-111 covers storage encryption guidance.
- Renders ePHI unusable to unauthorized individuals if media is lost or stolen — the HHS Breach Safe Harbor.
Encryption in Transit
Cryptographic protection applied to ePHI while it moves across a network — between systems, devices, or organizations.
45 CFR 164.312(e)(2)(ii)- Addressable specification at 45 CFR 164.312(e)(2)(ii).
- NIST SP 800-52 Rev. 2 specifies TLS configurations.
- Required for email containing PHI sent over open networks unless an exception applies.
When to use Encryption at Rest
- Configuring EHR database encryption, full-disk encryption on laptops, encrypted backups.
When to use Encryption in Transit
- Configuring TLS on the patient portal, encrypting email to external recipients, SFTP for claim files.
Common mistakes
- Treating either as optional — both are addressable, meaning the practice must implement or document why an equivalent measure is reasonable.
- Using outdated TLS versions (1.0/1.1) and assuming the connection is encrypted.
- Forgetting backup media — unencrypted USB or tape backup is a frequent breach source.
Sources
- HHS — Guidance on Encryptionhttps://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
- NIST SP 800-111 (Storage Encryption)https://csrc.nist.gov/pubs/sp/800/111/final
- NIST SP 800-52 Rev. 2 (TLS)https://csrc.nist.gov/pubs/sp/800/52/r2/final
Related
Document encryption controls in SRA Studio
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.