Encrypting with Evervault reduces your HIPAA compliance scope.


The Health Insurance Portability and Accountability Act 1996 (HIPAA) is a US Federal Law, which required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA Privacy Rule implements the requirements of HIPAA, and the HIPAA Security Rule protects a subset of information covered by the Privacy Rule — Electronic Protected Health Information (e-PHI).

Privacy Rule

Organisations covered by the Privacy Rule typically include:

  • Healthcare Providers
  • Health Plan Providers
  • Healthcare Clearing Houses
  • Business Associates (Service Providers to the above)

A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.

Security Rule

While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called Electronic Protected Health Information, or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI
  2. Detect and safeguard against anticipated threats to the security of the information
  3. Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
  4. Certify compliance by their workforce

Encryption plays a critical role in addressing points 1, 2 and 3 and organisations would be wise to implement both encryption in transit and at rest to protect personally identifiable sensitive personal health information.

Evervault is formally designated as a covered entity, and is externally assessed for compliance to HIPAA as part of our SOC 2 Type 2 Assessment (documentation available on request). Using Evervault allows organisations to securely store, process and share sensitive health data using robust encryption schemes.