Skip to main content
PHIGuard logo

HIPAA Encryption Requirements for Medical Practices (2026)

Last updated: March 20, 2026

TLDR

HIPAA technically classifies encryption as 'addressable' rather than 'required' — but this doesn't mean optional. If you don't use encryption for ePHI, you must document an equivalent alternative. In practice, encryption is the standard. Any HIPAA-compliant tool your practice uses should encrypt ePHI at rest (AES-256 or equivalent) and in transit (TLS 1.2+).

Required vs addressable: what the distinction actually means

The HIPAA Security Rule splits its requirements into two categories: required and addressable. Required specifications must be implemented. Addressable specifications must be implemented if they are reasonable and appropriate for your practice, or you must document why an equivalent alternative is sufficient.

Encryption falls in the addressable column under the Security Rule (§164.312(a)(2)(iv) and §164.312(e)(2)(ii)).

In practice, this has caused confusion. Some practice managers read “addressable” as “optional.” It is not. The difference is that you have flexibility in how you satisfy the specification, not whether you satisfy it. If you decide not to encrypt ePHI, you must document what you’re doing instead and why that alternative provides equivalent protection.

No credible alternative to encryption exists for data stored on cloud systems or transmitted over the internet. Auditors and HHS guidance both treat encryption as the expected implementation for modern healthcare software. If your tools are cloud-based (and for most small practices, they are), encrypting ePHI at rest and in transit is not a judgment call.

What encryption standards apply

HHS guidance references NIST standards without mandating specific algorithms by name. The current practical standards:

For data at rest: AES-256 (Advanced Encryption Standard with 256-bit key length). This is the standard used by healthcare software, cloud storage providers, and any vendor that has gone through a HIPAA compliance review.

For data in transit: TLS 1.2 or higher (Transport Layer Security). TLS protects data as it travels over networks. TLS 1.0 and 1.1 are considered deprecated; any HIPAA-compliant tool should be running 1.2 at minimum, with 1.3 increasingly common.

When evaluating a new software tool, ask the vendor directly: what encryption standard do you use for data at rest, and what TLS version do you run? A vendor that can’t answer clearly has not thought through their compliance posture.

Where practices get this wrong

The most common encryption gaps in small practices:

Personal email accounts. A physician emailing lab results from their Gmail personal account to a patient is transmitting PHI without a BAA or end-to-end encryption. Google Workspace (the paid business version) can be configured for HIPAA compliance and comes with a BAA. Personal Gmail accounts cannot.

Consumer file sharing. Sending patient documents via a personal Dropbox or Google Drive personal account has the same problem. The consumer versions of these tools are not covered by BAAs and do not meet HIPAA standards for PHI. The business/workspace versions can be configured for compliance.

Unencrypted laptops and mobile devices. A staff member’s personal laptop that they use for work, or a clinic laptop without full-disk encryption enabled, is a vulnerability. If that device is lost or stolen, PHI is exposed. Enable BitLocker (Windows) or FileVault (Mac) on every device that accesses patient data.

Texting. Standard SMS is not encrypted. Sending appointment reminders with any patient identifiers, or communicating care-related information over regular texts, creates a compliance gap. Purpose-built secure messaging platforms or a HIPAA-compliant patient communication tool addresses this.

Verifying your tools

Before using any software with PHI, confirm two things:

First, will the vendor sign a BAA? This is a non-negotiable prerequisite. No BAA means you cannot use the tool for PHI, regardless of what their marketing says about security.

Second, what encryption do they use? The answer should include a specific standard for data at rest (AES-256 or equivalent) and a TLS version for data in transit (1.2 or 1.3). “We use industry-standard security” is not an answer.

PHIGuard encrypts all stored data at rest using AES-256 and all data in transit over TLS 1.3, and includes a BAA at every pricing tier. When your audit documentation asks what encryption your task management tool uses, you need a specific answer ready.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

Encryption at Rest
Protecting stored data so it cannot be read without an authorized decryption key. Standard for HIPAA: AES-256 or equivalent.

DEFINITION

Encryption in Transit
Protecting data as it moves between systems (over networks or the internet). Standard for HIPAA: TLS 1.2 or higher.

DEFINITION

Addressable Specification
A HIPAA Security Rule requirement that must be implemented if reasonable and appropriate, or documented with an equivalent alternative if not. Encryption is addressable, not required — but must be addressed.

Q&A

Is encryption required under HIPAA?

Technically no — HIPAA labels encryption as an 'addressable' specification. But you must either implement encryption or document an equivalent alternative. In practice, encryption is the standard expectation for all ePHI handling.

Q&A

What encryption standard meets HIPAA requirements?

HIPAA doesn't mandate specific algorithms. HHS guidance points to NIST standards: AES-256 for data at rest, TLS 1.2+ for data in transit. Most compliant tools meet these standards automatically.

Want to learn more?

Learn More
Does HIPAA require encryption?
HIPAA lists encryption as an 'addressable' specification under the Security Rule, not 'required.' However, if you don't implement encryption, you must document a reasonable and appropriate equivalent. In practice, encryption is the default expectation — most auditors and vendors treat it as required.
What encryption does HIPAA require?
HIPAA doesn't mandate specific algorithms, but HHS guidance references NIST standards. For data at rest: AES-256 is standard. For data in transit: TLS 1.2 or higher is standard. The key question: can your practice demonstrate that ePHI is protected from unauthorized access?
Do I need to encrypt emails containing PHI?
If you email PHI to patients or other providers, that email must be encrypted or you must use a secure messaging alternative. Standard consumer email (Gmail personal, Outlook personal) is not encrypted end-to-end and requires a BAA from a business email provider.
Does my task management tool need to encrypt data?
Yes, if it stores or transmits ePHI. Any HIPAA-compliant task management tool should encrypt data at rest and in transit, maintain audit logs, and provide a BAA. PHIGuard encrypts all data at rest and in transit and includes a BAA at every pricing tier.

Keep reading

HIPAA Technical Safeguards: What Small Practices Actually Need

HIPAA's technical safeguards require access controls, audit controls, integrity protections, and transmission security for ePHI. Here's what each one means for a small clinic.

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.