The Health Insurance Portability and Accountability Act from 1996 (HIPAA) puts out strict rules about who can handle Protected Health Information (PHI) and what they can do with it. However, when it comes to the storage of that data, the law leaves room for interpretation. For example, 45 CFR 164.308 states that you have to "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level", but leaves it up to you, what reasonable and appropriate is. However, there are a few good reasons, why you always want to encrypt PHI data in your database.
The HIPAA rules call a company or service provider that has to abide by it a "covered entity". How do you know if you (or your company) are a covered entity? The HIPAA law does not affect every company, but if you provide some kind of health related services, chances are you are bound by it.
Before we talk about the "why", let us quickly recap what "Protected Health Information" or PHI actually is: PHI is any kind of information that is tied to the health or the medical history of a specific person.
The important piece here is that the information needs to be tied to a particular individual. That means on the other hand, if you cannot identify the individual anymore that the information at hand describes, you do not need to apply extra stringent security measures anymore either. In fact, 45 CFR 164.402 states that the disclosure of de-identified PHI is not considered a breach.
Therefore, you want to encrypt those data points that allow the identification of a particular individual. Things like the social security number, a medical record number or even the (cell)phone number come to mind. But, there are other information pieces that you might not think of as identifiable information but they in fact are. For example, the vehicle license plate. Even the age (in years) can be used to identify a person, once you get above 90 years. The HIPAA rules give us a comprehensive list of the fields you need to consider. E.g. check out the section about de-identifying data (45 CFR 164.514)
So, why should you encrypt your PHI?
The first reason it very straight forward: In section (a)(2)(iv) of 45 CFR 164.312, the HIPAA rules clearly say that you need to "[i]mplement a mechanism to encrypt and decrypt electronic protected health information". (Note: see clarifying comment by netsec4u below.)
In the case of a breach of PHI that was directly or indirectly caused by you, you can get fined. The fines reach from $100 to $50000 or more per incident. You can expect that each record in a data breach affecting PHI of several individuals will be considered a separate incident, potentially multiplying the fine by a very large number.
You are required to publicly disclose any breach of PHI that was in your possession. You are also required to contact each affected individual directly. What that entails for your business can be best described by these two words: PR Nightmare.
In addition to the bad press and reputational damage, the fines and the cost of notification can quickly go into the millions. The Cost Of A Data Breach gives an overview over recent PHI breaches and the associated costs to the companies.
Encryption does not only protect the data, it also protects you. In a recent California ruling, a company that lost a hard drive with PHI got away without penalties, because the data was encrypted.
If that all was not enough yet to convince you that you really need to encrypt that data, I have one more reason for you: Just a few days ago the West Virginia Supreme Court ruled that in the case of a PHI breach an individual does not have to proof any actual damages. That ruling opened the door for a class action lawsuit against a single company by over 3000 individuals that were affected by the breach.
If your business is dealing with PHI - Protected Health Information - you are responsible under the HIPAA law to do your best to protect that data from unauthorized access. That includes the protection of the data at rest. For that reason alone, it should be obvious that you need to encrypt PHI in your database. In addition however, it can get extremely expensive very quickly, if due diligence is lacking and it comes to a data breach.
If you have PHI in your database that is not encrypted, make it your highest priority today to change that.
Disclaimer: I am not a lawyer, therefore you should not consider any of this legal advice. For that, talk to your own lawyer.