When Should You Encrypt PHI Data for HIPAA Compliance?

By HIPAA Vault

When should PHI or EHR be protected? To answer this question we first must understand that data has different states. Using a simple analogy of water will help drive the point home. If you recall from your high school biology or chemistry class that water can be a liquid, a solid (ice), and a gas (vapor). HIPAA data can also be found in different forms:
– in use – in transit – at rest.

Data at rest is the data simply sitting on the hard drive. The data will eventually be called on by an application, usually a web app, to load the data and present it to the user in the form of a web page. When the web app pulls in the data, the data is now “in use”. Should data in use be encrypted? If it were, then it cannot be read by a user, so typically, data “in use” is meant to be decrypted first.

Data “in motion” is data that is travelling from one computer system to another one. For example, a medical technician working in a doctor’s office enters the patient’s blood pressure in a web form. Before he presses the enter button, the PHI resides “at rest” on the technician’s desktop system. After he submits the form, the data then travels from the technician’s desktop through the internet and to the final destination on a remote system. The period that the data is travelling is referred to as data “in transit” or “in motion”.

Understanding the state that PHI data resides in is an easy way to remember which stage that it needs to be encrypted.


Our certifications