Encryption at Rest
Cryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Primary sources
- 3
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
45 CFR 164.312(a)(2)(iv) makes encryption "addressable" — required if reasonable and appropriate, with a documented alternative if not. The HHS Breach Notification safe harbor requires encryption that meets NIST standards (FIPS 140-validated).
How it shows up in your practice
Encrypt laptops, mobile devices, and backups by default. Encrypted devices that are lost or stolen do not trigger breach notification, which alone justifies the cost.
Sources
- 45 CFR 164.312 — Technical safeguardshttps://www.ecfr.gov/current/title-45/section-164.312
- HHS — Breach Notification Rulehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- NIST SP 800-88 — Guidelines for Media Sanitizationhttps://csrc.nist.gov/pubs/sp/800/88/r1/final
Document encryption decisions in the Compliance Binder
Open compliance binder →Related terms
- SecurityEncryption in TransitCryptographic protection of ePHI moving between systems or networks, typically via TLS.
- SecurityTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
- HIPAA & PrivacyHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryEncryption in TransitCryptographic protection of ePHI moving between systems or networks, typically via TLS.
- GlossaryTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA Device and Media Controls (45 CFR 164.310(d))Required specifications for disposal of hardware and electronic media containing ePHI, and media re-use procedures.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- GlossaryAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- ComplianceBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.