Back to all insights
EncryptionHIPAAHealthcareSecurity

Encryption at Rest and in Transit: What That Actually Means for a Doctor's Office

B Byzantine Technologies · · 8 min read

Demystifying a Word That Gets Thrown Around

Encryption is one of those words that appears in every security discussion and every HIPAA conversation, yet rarely gets explained in terms a practice can actually act on. People nod along at “encryption at rest and in transit” without a clear picture of what it means for the laptop at the front desk or the email a provider just sent to a specialist. This post translates the concept into the concrete systems of a doctor’s office.

The two phrases describe two states that data can be in. Data at rest is data sitting somewhere — stored on a hard drive, a server, a backup, a phone. Data in transit is data moving from one place to another — an email crossing the internet, a file uploading to the cloud, a record syncing to a remote office. Encryption protects data in both states, and they require different protections, which is why both phrases come up.

Why it matters for HIPAA: encryption is “addressable” under the current Security Rule, meaning you must assess whether it’s reasonable and appropriate and, in most modern cases, implement it. The HHS/OCR proposed updates published in early 2025 would make encryption a more explicit, harder-to-skip expectation. Just as importantly, encryption carries a powerful practical benefit under the Breach Notification Rule: if a lost or stolen device was properly encrypted, the data on it is generally considered unreadable, and the loss may not be a reportable breach at all. Encryption is one of the few controls that can turn a potential breach into a non-event.

What “At Rest” Means for Each System

Encryption at rest scrambles stored data so that someone who physically obtains the device or storage cannot read the data without the key. Here is what that looks like across a practice:

Laptops. A laptop is the classic encryption-at-rest scenario because laptops get lost and stolen. Full-disk encryption — built into modern operating systems — ensures that a thief who takes a laptop gets an unreadable drive rather than a folder full of patient records. Every laptop that could possibly touch ePHI should have full-disk encryption enabled and verified.

Desktop workstations and servers. Desktops are stolen less often than laptops, but it happens — and servers contain the highest concentration of ePHI. Encrypting the storage on workstations and servers protects against theft, improper disposal, and drives being pulled from decommissioned equipment.

Backups. Backups are a complete copy of your ePHI, which makes them a high-value target and a serious liability if mishandled. Backup data should be encrypted both where it’s stored and as it travels to its destination. An unencrypted backup tape or drive is a breach waiting to happen.

Cloud storage. Reputable cloud providers encrypt data at rest on their infrastructure, but you should confirm it rather than assume it, and understand how the keys are managed. The same applies to any cloud service holding ePHI.

Mobile devices. Phones and tablets that access email or clinical apps hold ePHI and are easily lost. Device encryption — standard on modern phones — plus a passcode and remote-wipe capability protect that data.

“The lost laptop is the scenario that turns encryption from an abstraction into a very concrete benefit. Encrypted, it’s an expensive inconvenience. Unencrypted, it’s a reportable breach, a notification process, and a potential headline.”

What “In Transit” Means for Each System

Encryption in transit protects data while it moves, so that someone intercepting it along the way cannot read it. The concrete cases:

Email. Email is the trickiest in-transit case for healthcare. Standard email is not reliably encrypted end to end, which is why ePHI should not simply be emailed in the clear. Practices need a secure email solution — encrypted email or a secure portal — for any message containing PHI, along with clear staff guidance about what can and cannot be sent by ordinary email.

Cloud uploads and web connections. When data moves to and from cloud services, it should travel over encrypted connections (the lock-icon HTTPS standard). For the services your practice uses, this is generally handled — but it’s worth confirming, especially for older or niche systems.

VPNs. A VPN creates an encrypted tunnel for data traveling between a remote user or office and your network. This is how remote staff can safely reach internal systems over the untrusted internet — the VPN encrypts everything in transit so it can’t be intercepted. A VPN protects data in transit; it does not replace the need for encryption at rest on the devices at each end.

Secure messaging. Clinical teams often need to communicate quickly about patients, and ordinary consumer texting is not appropriate for PHI. A secure messaging platform designed for healthcare encrypts messages in transit and at rest and provides the controls HIPAA expects, giving staff a compliant alternative to personal texting.

Remote office and site-to-site connections. Practices with multiple locations should ensure the links between sites are encrypted, so that ePHI moving between offices is protected the same way it would be over a VPN.

The Gaps Practices Commonly Miss

The unencrypted laptop. The most common and most damaging gap. Full-disk encryption is free and built in — but only if it’s actually turned on and verified, which often it isn’t.

Emailing PHI in the clear. Staff send patient information by ordinary email out of habit and convenience, not realizing it isn’t reliably encrypted. This needs both a secure tool and clear guidance.

Assuming the cloud handles everything. Cloud providers encrypt a lot, but the practice is still responsible for confirming it, configuring services correctly, and understanding what is and isn’t covered.

Forgetting backups. Backups are sometimes the one place encryption gets overlooked, even when the live systems are encrypted — leaving a complete copy of ePHI exposed.

Personal texting about patients. Convenient, common, and not appropriate for PHI. A secure messaging tool closes this gap.

A Practical Encryption Checklist for a Practice

  1. Enable and verify full-disk encryption on every laptop, desktop, and server that could touch ePHI.
  2. Confirm mobile devices are encrypted, passcode-protected, and remotely wipeable.
  3. Encrypt backups both at rest and as they travel to their destination.
  4. Deploy secure email or a portal for any message containing PHI, with clear staff rules.
  5. Confirm cloud services encrypt at rest and that connections to them are encrypted in transit.
  6. Use a VPN or encrypted links for remote access and site-to-site connections.
  7. Provide a secure messaging tool so staff have a compliant alternative to personal texting.

The Byzantine Takeaway

“Encryption at rest and in transit” stops being intimidating once you translate it into the actual systems of your office. At rest protects stored data — laptops, servers, backups, cloud storage, phones — against theft and improper disposal. In transit protects moving data — email, cloud connections, VPNs, secure messaging — against interception. HIPAA increasingly expects both, and encryption uniquely can turn a lost device from a reportable breach into a non-event. Work through the checklist, pay special attention to the laptop and the backups, and give your staff secure alternatives to the habits — clear-text email and personal texting — that quietly put ePHI at risk.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.