This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Access Control Encryption

Reference: § 164.308(a)(2)(iv)
Last Updated: April 24, 2024


To prevent unauthorized user access to unattended computing devices and to comply with state and federal regulations.


The Security Manager or its designated representative shall ensure that all team members are aware of the required logoff procedures.

All electronic devices that receive, store and/or transmit Protected Information and are not located in an Approved Secure Data Centers must use approved encryption methods to secure the information stored on or transmitted outside the secure center.

  • Devices that are not located in an Approved Secure Data Center are required to have all information stores of protected information encrypted.
  • Protected Information contained on laptops or workstations are required to be either File, Folder or Full Disk Encryption.
  • Any and all mobile devices e.g. smart phones and tablets that connect to the secure clinical network that may contain or transmit Protected Information (e.g. e-mail) are required to accept Information Security Standards to encrypt and protect the devices. External storage media (i.e. backup tapes, removable drives, etc) will need to have the Protected Information encrypted.
  • Files that contain protected information that are transmitted across the Internet (e.g. e-mail attachments, or file transfers to other entities) will need to have the attachments encrypted or use a secure encrypted method to deliver that information.

As part of the encryption specification, the Security Manager shall also:

  • Make an inventory of all of the systems that store or transmit patient data.
  • Identify all of the systems where encryption is not implemented.
  • Prioritize the implementation of encryption for all systems that have no encryption capability.
  • If vendor updates are available that add encryption capabilities, schedule those updates as soon as possible.
  • Immediately notify all of your software and hardware vendors that you expect them to implement encryption according to industry standards, and that future acquisitions will require this security control.
  • Stored encryption keys away from patient data on key management servers that are designed to protect encryption keys.
  • Make an inventory of all Business Associates that receive patient data be sure to have a valid updated Business Associate agreement on file.


Existing systems and applications containing Protected Information which cannot use encryption because of technology limitation but have compensating controls may be granted a special exception by the Security Officer. However, these systems and applications will be required to have a formal risk assessment performed to ensure that major risks are addressed via compensating controls to protect the data in lieu of encryption.

Exceptions will be reviewed periodically and removed when a suitable solution is available.

Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram