HIPAA Encryption Requirements Explained for Non-Technical Therapists
Encryption is the single most talked-about word in HIPAA, and one of the least understood. Vendors splash "bank-level encryption" across their homepages. Compliance checklists demand it. But almost nobody explains, in plain terms, what it actually is or what HIPAA truly requires.
So let's fix that. No jargon, no computer-science detour. By the end of this you'll know what encryption does, where it matters, what the law actually says, and how to check whether your own tools and devices are doing it right.
What Encryption Actually Is
Encryption is scrambling data so that only the right person can read it.
Imagine you write a client's name on a piece of paper, then run it through a machine that turns it into random gibberish. Anyone who steals the paper sees nonsense. But the person with the matching "key" can run it back through the machine and get the original name. That's encryption: readable data goes in, scrambled data comes out, and only the key turns it back.
Without the key, the scrambled data is useless. That's the whole point. If a laptop full of encrypted client notes gets stolen, the thief gets gibberish, not records.
The strength of the scrambling matters, and we'll get to the specific labels to look for. But the core idea is that simple: lock the data so a stranger can't read it.
At Rest vs In Transit — The Two Places Data Lives
HIPAA cares about encryption in two situations, and you'll see these phrases everywhere.
Encryption at rest protects data that's sitting still — stored on a hard drive, a phone, a server, or a cloud backup. Think of client notes saved on your laptop overnight. If the laptop is stolen, at-rest encryption is what keeps those notes unreadable.
Encryption in transit protects data that's moving — traveling across the internet from one place to another. When you load your EHR in a browser, send a secure message, or join a telehealth session, the data is in transit. In-transit encryption stops someone on the same coffee-shop Wi-Fi from intercepting it.
A plain example of both: you write a progress note in your cloud EHR. As you type and save, the note travels to the EHR's servers — that trip needs in-transit encryption. Once it lands and gets stored, it needs at-rest encryption so it's protected sitting on their servers. You need both, because data is vulnerable both while it moves and while it sits.
What HIPAA Actually Requires — The "Addressable" Surprise
Here's the part that confuses everyone. Most people assume HIPAA flatly orders you to encrypt everything. The reality is more nuanced.
Under the HIPAA Security Rule, encryption is an "addressable" implementation specification, not a strictly "required" one. Encryption at rest lives at §164.312(a)(2)(iv) and encryption in transit at §164.312(e)(2)(ii). Both are labeled addressable.
Now, "addressable" sounds like "optional." It is not. This is where practices get themselves in trouble.
Addressable means you must do one of these:
- Implement the encryption, OR
- Document a legitimate reason it isn't reasonable for you AND put an equivalent safeguard in place instead, OR
- Document why no safeguard is needed at all (very rarely defensible).
What addressable does not mean is "you can skip it because it's hard." If you choose not to encrypt, you carry the burden of proving in writing that an equivalent alternative is reasonable and appropriate for your situation. For a solo therapist storing client records on a laptop, there is essentially no reasonable alternative to encryption — the technology is free and built in. Skipping it without ironclad documentation is a finding waiting to happen.
In practice, for a small mental health practice, treat encryption as required. The "addressable" label gives large organizations with unusual constraints a documented escape hatch. It is not your permission slip to ignore it.
How to Check If Your Tools Encrypt Properly
When you evaluate an EHR, telehealth platform, email service, or cloud storage tool, you're looking for two specific things. Memorize these two labels:
- At rest: AES-256. This is the gold-standard encryption strength for stored data. If a vendor says data is "encrypted at rest with AES-256," that's what you want to see.
- In transit: TLS 1.2 or higher. TLS is the technology that protects data moving across the internet (it's what the padlock in your browser represents). You want TLS 1.2 or TLS 1.3. Anything older is outdated.
Where to find this:
- Check the vendor's security page, often at a "/security" or "/trust" URL.
- Look in their HIPAA or compliance documentation, sometimes behind a "request" form.
- Ask directly: "Do you encrypt PHI at rest with AES-256 and in transit with TLS 1.2 or higher?" A compliant vendor answers this in one email.
If a vendor can't give you a clear answer, or hides behind vague phrases like "military-grade security" with no specifics, treat that as a red flag. And remember — encryption alone doesn't make a tool HIPAA compliant. You still need a signed Business Associate Agreement with any vendor touching PHI. Encryption and a BAA are two separate, both-required boxes.
Don't Forget Your Own Devices
Vendors handle their servers, but your laptop and phone are your responsibility. This is the most common gap in solo practices, and the easiest to fix — usually for free.
Mac: turn on FileVault. Go to System Settings, search FileVault, and switch it on. It encrypts your entire drive with strong encryption and runs invisibly once enabled.
Windows: turn on BitLocker. Available on Windows Pro and Enterprise editions. Search for "Manage BitLocker" and enable it for your drive. Save the recovery key somewhere safe and not on the same machine.
Phones and tablets: confirm device encryption is on. Modern iPhones are encrypted automatically as long as you have a passcode set — so set a strong one. Most current Android phones encrypt by default too; verify in your security settings and use a real passcode, not a swipe pattern.
If you store, view, or even receive any client information on a device — and you do — that device needs full-disk encryption turned on. A locked screen alone is not encryption.
The Breach Safe-Harbor — Why This Pays Off
Here's the payoff that makes encryption worth ten minutes of setup. HIPAA includes what's often called the encryption safe-harbor.
If PHI is properly encrypted to current standards and a laptop, phone, or drive is lost or stolen, that data is considered unreadable, unusable, and undecipherable to whoever took it. As a result, the loss is not a reportable breach. No notification letters, no report to HHS, no entry on the public breach portal, no patient panic.
Flip it around. An unencrypted lost laptop with client records is a reportable breach. You'd owe notifications to every affected client, a report to the HHS Office for Civil Rights, and — if it hits 500 or more people — a public listing and likely a news story.
OCR's enforcement history is full of exactly this scenario. Lost or stolen unencrypted laptops and portable drives have repeatedly led to major settlements with hospitals, insurers, and smaller providers. The recurring theme in those cases is painfully simple: the device wasn't encrypted, so a routine theft became a federal matter. Practices that had encryption turned on faced no such reporting obligation for the same kind of loss.
That's the deal encryption offers you. A few minutes turning on FileVault or BitLocker can be the difference between "my laptop got stolen, no big deal, the data's locked" and a breach that consumes months of your life and your reputation.
The Short Version
- Encryption scrambles data so only someone with the key can read it.
- You need it at rest (stored data) and in transit (moving data).
- HIPAA labels it "addressable," but for a solo practice, treat it as required — and document if you ever don't.
- Look for AES-256 at rest and TLS 1.2 or higher in transit when choosing tools.
- Turn on FileVault, BitLocker, and phone encryption on every device.
- Properly encrypted data that's lost or stolen isn't a reportable breach. Unencrypted data is.
Take the next step
Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.