Encryption (at rest and in transit)

Scrambling PHI so it is unreadable without a key, both while stored and while transmitted.

Encryption scrambles data so it cannot be read without a decryption key. HIPAA expects PHI to be encrypted both at rest (while stored on disk) and in transit (while moving across a network). Compliant setups typically use AES-256 for stored data and TLS 1.2 or higher for data in transit.

Under the current Security Rule encryption is an "addressable" specification, meaning it must be used where reasonable or an equivalent measure documented. See key security measures for HIPAA-compliant hosting.