HIPAA TS-1.4: Encryption and Decryption of ePHI
TS-1.4 requires organizations to deploy encryption mechanisms that protect electronic Protected Health Information both at rest and in transit. This control is foundational to HIPAA's Security Rule and directly prevents unauthorized access to sensitive patient data. Meeting this requirement demands both technical implementation and documented governance—two areas where compliance teams often struggle without proper tools.
What this means
The encryption and decryption control mandates that your organization establish and maintain cryptographic systems capable of protecting ePHI throughout its lifecycle. This includes encrypting data stored on servers, databases, and backups, as well as encrypting data transmitted across networks. The control requires that encryption keys are managed securely, decryption processes are logged and monitored, and encryption standards meet or exceed NIST recommendations (typically AES-256 or equivalent). Your organization must also ensure that authorized personnel can decrypt ePHI when clinically or administratively necessary, while preventing unauthorized decryption.
How to comply
- 1.Inventory all systems, databases, and storage locations containing ePHI and document current encryption status for each
- 2.Select NIST-approved encryption algorithms (AES-256 minimum) and implement encryption for data at rest across all identified systems
- 3.Deploy TLS 1.2 or higher for all ePHI data in transit across networks, including APIs and cloud integrations
- 4.Establish a formal key management process including generation, storage, rotation, and secure deletion of encryption keys
- 5.Configure access controls so only authorized personnel can decrypt ePHI, with decryption events logged and monitored
- 6.Document your encryption architecture, algorithms, key management procedures, and recovery processes in your Security Rule policies
- 7.Conduct quarterly audits of encryption status, key rotation cycles, and decryption activity logs to ensure ongoing compliance
- 8.Test decryption and recovery procedures annually to verify data can be restored without integrity loss
Evidence auditors look for
- Encryption inventory spreadsheet listing all ePHI systems, encryption algorithms, and key management tools in use
- System configuration screenshots showing AES-256 encryption enabled on databases, file servers, and backups
- Network packet captures or firewall logs demonstrating TLS 1.2+ encryption on data in transit
- Key management policy documentation covering generation, rotation, storage, access, and destruction procedures
- Decryption access logs with timestamps, user IDs, and data accessed for the past 12 months
- Encryption key rotation schedule and completion records showing rotation at least annually
- Third-party encryption validation reports from security audits or penetration tests
- Business continuity plan demonstrating successful decryption and recovery testing results
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates encryption inventory mapping, generates encryption compliance checklists aligned to TS-1.4, and consolidates decryption access logs into audit-ready evidence—eliminating manual spreadsheet tracking and reducing ePHI exposure risk.
See how GRCWatch handles this control automatically
Start free trial