DuoKey logotype

Compliance

HIPAA

Technical safeguards for ePHI—encryption and key management you can stand behind in a BA audit.

Talk to us

Requirements

What the regulation expects

HIPAA’s Security Rule expects access control, audit controls, integrity, and transmission security for ePHI. Encryption (addressable) is widely treated as required once risk analysis shows it is reasonable. The practical audit question is whether a cloud or SaaS operator can fetch plaintext without your knowledge. Customer-controlled keys—HSM-backed KMS you run, AWS XKS, Microsoft Customer Key, or equivalent—put key usage under *your* policies and logging, which maps cleanly to minimum-necessary workflows and business associate accountability.
What the regulation expects

Customer-controlled keys under HIPAA

Technical safeguards should show who can reach ePHI; keys you govern make that auditable.

Access control and workforce clearance

Keys should align with role-based access: only approved systems and operators can trigger decrypt operations, with traceability.

Integrity and non-repudiation of protections

You must guard against improper alteration or destruction. Cryptographic integrity plus controlled keys supports defensible controls for systems-of-record.

Vendor and BAA boundaries

A BAA does not remove the need for strong technical separation. External keys limit vendor access even when they operate the application stack.

Solutions

Relevant DuoKey products

OpenBAO + DuoKey SD-HSM

Standardise how EHR-adjacent apps, data lakes, and integration layers consume keys under your security programme.

Learn more
AWS XKS for health workloads on AWS

Bind storage encryption to keys outside AWS’s default custody model.

Learn more
Microsoft 365 Customer Key & DKE

Keep Microsoft from being the sole administrator of keys that protect regulated content.

Learn more
Tokenisation for identifiers

Replace direct identifiers with tokens under your key control.

Learn more

Key themes

Where customer-controlled keys fit

DuoKey provides the technical key separation that auditors look for when assessing ePHI safeguards — ensuring that encryption is not just enabled but controlled by the covered entity or its designated business associate.

§164.312(a)(2)(iv) — encryption and decryption

Implement mechanisms consistent with your risk analysis; external key management documents who can decrypt and how.

Relevant products:
OpenBAO + DuoKey SD-HSMAWS XKSM365 DKE

§164.312(b) — audit controls

Integrate KMS and HSM audit streams with your SIEM for ePHI access paths that involve cryptography.

Relevant products:
OpenBAO + DuoKey SD-HSMAWS XKS

Related links

Useful resources