Recommended tools for encrypting data containing HIPAA-regulated PHI

On this page:


This information is about tools that UITS Research Technologies recommends for encrypting data that contain protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA).

The Research Technologies division of UITS provides several systems and services that meet certain requirements established in the HIPAA Security Rule thereby enabling their use for research involving data that contain protected health information (PHI). However, using a UITS Research Technologies resource does not fulfill your legal responsibilities for protecting the privacy and security of data containing PHI. You may use these resources for research involving data containing PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place. For more, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.

Encrypt data at rest

On personal workstations

On Windows and macOS workstations, to encrypt at-rest data, use Symantec Endpoint Encryption (formerly PGP Whole Disk Encryption). IU students, faculty, and staff, can download Symantec Endpoint Encryption at no cost from the Security section of IUware. For more, see:

Storing PHI on laptops or other portable devices is highly discouraged. The HIPAA Security Rule mandates that data containing PHI should not be stored on laptops, USB flash drives, external hard drives, or mobile devices unless the data are anonymized or strongly encrypted.

On Research Technologies systems

To encrypt at-rest data, use GNU Privacy Guard (GPG, also GnuPG). For instructions, see Use GPG to encrypt files on IU's research computing systems.

For more, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.

Encrypt data transfers


To transfer data containing PHI between networked computers, use a Secure FTP (SFTP) client. SFTP clients encrypt commands and data to prevent sensitive information from being transmitted in the clear over a network.

You can use sftp from the command line on the IU research computing systems (and via the macOS Terminal application). Graphical SFTP clients also are available; for IU students, faculty, and staff, two graphical SFTP clients, CyberDuck (for macOS) and WinSCP (for Windows), are available for free download from IUware.

For more, see Use SFTP to transfer files.


On the IU research systems, you also can use the scp command to securely transfer data between remote hosts. SCP encrypts the files and any passwords exchanged over the network.

For more, see Use SCP to securely transfer files between two Unix computers.

Slashtmp (Critical version)

IU graduate students, faculty, and staff can use the Critical version of IU's web-based Slashtmp service to share Critical data, including data that contains PHI.

When using Slashtmp to store data subject to HIPAA regulations, or Critical data (for example, Social Security numbers, credit card numbers, or bank account numbers), you must choose the "Critical" version from the Slashtmp home page before proceeding with your upload.

Your Slashtmp files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Slashtmp files are not backed up; when you delete a file, there is no way to recover it. Do not use Slashtmp as the only place to keep files you cannot afford to lose.

For instructions, see Uploading a file using the Critical version.

Get help

UITS provides consulting and online help for Indiana University researchers, faculty, and staff who need help securely processing, storing, and sharing data containing protected health information (PHI). If you have questions about managing HIPAA-regulated data at IU, contact UITS HIPAA Consulting. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. For additional details about HIPAA compliance at IU, see HIPAA Privacy and Security Compliance

Back to top

This is document ayzi in the Knowledge Base.
Last modified on 2019-08-27 08:59:22.

Contact us

For help or to comment, email the UITS Support Center.