By Stephen Trout, , HIPAA Blog, Resources

Protected Health Information must be encrypted according to HIPAA $164.312 Technical safeguards. At first glance this seems obvious even to a casual observer. PHI data must be encrypted because it contains the private health records of a patient, and this private information must be carefully safeguarded.

It’s easy to understand that the confidential data must be protected because it is confidential information. However, the question remains of “where” and “when” should the data be protected.

When should PHI or EHR be protected? To answer this question we first must understand that data has different states. Using a simple analogy of water will help drive the point home. If you recall from your high school biology or chemistry class that water can be a liquid, a solid (ice), and a gas (vapor). Data can also be found in different forms:

  • in transit
  • in use
  • at rest

Data at rest is the data simply sitting on the hard drive. The data will eventually be called on by an application, usually a web app, to load the data and present it to the user in the form of a web page. When the web app pulls in the data, the data is now “in use”. Should data in use be encrypted? If it were, then it cannot be read by a user, so typically, data “in use” is meant to be decrypted first.

Data “in motion” is data that is travelling from one computer system to another one. For example, a medical technician working in a doctor’s office enters the patient’s blood pressure in a web form. Before he presses the enter button, the PHI resides “at rest” on the technician’s desktop system. After he submits the form, the data then travels from the technicians desktop through the internet and to the final destination on a remote system. The period that the data is travelling is referred to as data “in transit” or “in motion”.

Understanding that data can either be “at rest”, “in use”, or “in transit” is important so that you can gauge how it should be protected. Different mechanisms are available to protect the data in it’s different states. We’ll address that in the next blog. “Symmetrical and Asymmetrical Encryption”.

Click here to learn more about how you can keep your protected health information secure.

Stephen Trout Headshot

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at