Regulation of Medicine


Data Encryption: An Effective Strategy to Secure Patient Information

Executive Summary

Data encryption is a crucial component of your healthcare organization’s cyber security strategy. Although encrypting data might add an extra burden, it will protect electronic patient information as well as save you and your healthcare organization’s reputation from financial and personal harm. Due to the current range of options and prices, noncompliance is no longer excusable.  

Recommended Actions 
  •  Prioritize patient privacy; a healthcare organization with robust HIPAA and privacy protections will increase the public’s trust in your service. 
  •  Encrypt all data and devices that contain ePHI to avoid unauthorized disclosures of patients’ sensitive information and considerable HIPAA fines. 
  • Assess security of the encryption system each year to find areas of improvement. 

How Does Data Encryption for Patient Privacy Work? 

Encrypting patient data protects information by making the data unreadable to unauthorized individuals. When data is encrypted, it is converted into a new form that cannot be read unless someone has the key or code. And so, even if encrypted data is stolen, it remains unreadable due to extra layers of security.  

Why is Encryption Important for Healthcare Organizations and HIPAA Compliance? 

In the healthcare industry, data encryption is important for HIPAA compliance as well as for safeguarding electronic protected health information (ePHI) from online threats. If ePHI is not protected, costly data breaches and impermissible disclosures of patient information can result. 

Theft and hackers are common sources of data breaches. Because ePHI includes sensitive and private information and has increasingly become the target of hackers, healthcare organizations should follow data protection guidelines. Those that proactively adopt best practices for security are better prepared for ongoing compliance and less likely to experience expensive data breaches and lawsuits. To fully secure ePHI, healthcare organizations must regularly examine their encryption security measures as well as upgrade as newer methods replace older, less secure ones. 

How Can I Be HIPAA Compliant When It Comes to Encryption? 

The HIPAA Privacy Rule and HIPAA Security Rule establish ePHI security standards and compliance requisites. Due to constantly evolving technology, the rules leave the exact encryption method and software to the discretion of the healthcare organization. However, the rules list certain objectives, such as encryption for patient data that is at rest (inactive data on a hard drive or disk) or in transit (data that is emailed or moved from one device or server to another) to assure the confidentiality of ePHI. The use of password protection without encryption is not HIPAA-compliant. Additionally, states can pass laws that are stricter than HIPAA’s standards. 
The Office for Civil Rights will fine healthcare organizations if they fail to encrypt data at rest or in transit. If unencrypted data is stolen, healthcare organizations will face a financial loss and have to notify their patients of the situation, which might hurt their reputations. However, if encrypted data is stolen, they will not have to pay a fine nor notify their patients. Healthcare organizations should work directly with their IT providers to determine the type of HIPAA-compliant encryption software that best fits their needs.  

What Are Other Methods of Healthcare Data Protection? 

Even with data encryption, you should be aware that other cyber risks and threats can still exist. For example, data that resides in an on-premise server or an in-house server is vulnerable to outside threats especially if the key to decryption is located on the desktop. Additionally, malware and phishing techniques can compromise an encrypted database’s security, or someone’s login credentials can be stolen. These scenarios allow hackers to potentially gain access to ePHI despite the use of encryption.  
In addition to encrypting patients’ data, here are some other practices, including administrative and physical safeguards, that healthcare organizations should use to reduce risk and protect their patients’ electronic information: 

  •  Encrypt all devices that can be taken off site and do not allow staff to use personal devices for work. 
  • Implement modern authentication (e.g. multi-factor) requirements for all systems. 
  • Follow stolen and lost device procedures. 
  • Only use end-to-end encrypted emails to prevent hackers from intercepting messages (such as Microsoft 365 and Salesforce). 
  • Hire professional IT support that has experience in implementing encrypted software. 
  • Educate healthcare staff on security awareness to prevent human error and improve digital literacy. 
  • Restrict employee access to certain information to ensure that only authorized employees have access to the data. 
  •  Conduct an annual security risk assessment to find vulnerabilities in the security system. 
  • Regularly update security measures as new technology and better solutions are developed. 

MagMutual protects and secures your information by choosing service providers such as Salesforce and Microsoft that offer the latest encryption software. We regularly train and educate all employees on the importance of using secure systems when transmitting sensitive information. We always implement encryption to the greatest extent possible to assure our policyholders that we value their privacy and that information is only accessed by authorized individuals. 

Lessons Learned 
  • Encrypting data is one of the most important data protection methods healthcare organizations can use because it reduces the risk of data breaches. 
  • In the event of a breach, unencrypted data can result in substantial fines from HHS and loss of patient trust.  
  • Due to improvements in evolving technology, encryption is accessible and affordable and can fit the needs of any organization.  
Potential Damages 

Healthcare organizations that fail to secure their patients’ ePHI may face HIPAA fines or even criminal prosecution if it is shown that there was willful negligence in the handling of ePHI. This can damage your reputation and result in a loss of employment and a loss of earnings. In addition to HIPAA fines, failing to encrypt can also create lawsuits resulting from stolen data.


1. Data encryption is optional.
2. The cost of encryption is likely less than the hefty fines HHS will charge for non- compliance and using unencrypted data.
3. Under HIPAA, each covered entity must determine what security measure is necessary to achieve their own objectives.


Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.