Answer

How do I encrypt patient data (ePHI) at rest for HIPAA?

Turn on encryption at rest for every store that holds electronic protected health information (the database, buckets, volumes, backups), or document why an equivalent safeguard is in place. HIPAA's encryption specification (164.312(a)(2)(iv)) is addressable: implement it where reasonable, or record an equivalent, rather than skipping it.

Enable encryption on the store
Provision databases, buckets, and volumes with encryption at rest on. For managed stores this is usually one setting; the trap is a store that is not encrypted by default (an RDS instance, a raw volume).
Cover the copies too
Backups, snapshots, and exports of ePHI need the same protection as the primary store, so a copy does not sit unprotected somewhere off to the side.
Document an addressable decision
If you genuinely cannot encrypt a given store, the addressable nature of the specification means you record why and what equivalent measure protects the data, rather than leaving the decision implicit.

infra/database.tf+1 -0

resource "aws_db_instance" "patient_records" {  engine = "postgres"+  storage_encrypted = true}

heygrcHIPAA 164.312(a)(2)(iv)

Encryption at rest is enabled on the database holding ePHI, which an RDS instance does not do by default.

Get early access ← All answers

How do I encrypt patient data (ePHI) at rest for HIPAA?

Enable encryption on the store

Cover the copies too

Document an addressable decision