When should PHI or EHR be protected? To answer this question we first must understand that data has different states.
Using a simple analogy of water will help drive the point home. If you recall from your high school biology or chemistry class, water can be a liquid, a solid (ice), and a gas (vapor). HIPAA data can also be found in different forms: in-use, in-transit, and at-rest.
Data at rest is the data simply sitting on the hard drive. The data will eventually be called on by an application, usually a web app, to be loaded and presented to the user in the form of a web page.
When the web app pulls in the data, the data is now “in use.” Should data in-use be encrypted? If so, it could not be read by a user, so typically, data “in use” must be decrypted first.
Data “in motion” is data that is traveling from one computer system to another one. For example, a medical technician working in a doctor’s office enters the patient’s blood pressure in a web form. Before he presses the enter button, the PHI resides “at rest” on the technician’s desktop system. After he submits the form, the data then travels from the technician’s desktop through the internet and to the final destination on a remote system. The period that the data is traveling is referred to as data “in transit” or “in motion.”
Understanding the state that PHI data resides in is an easy way to remember which stage that it needs to be encrypted.