VeraCrypt may not be HIPAA compliant. If it isn't, this encryption tool shouldn’t be used for protected health information (PHI).
Data encryption is an essential part of HIPAA compliance, and covered entities must ensure that information is fully encrypted both in transit and when stored. While VeraCrypt provides basic security features, its encryption tool may not be sufficient for protected health information (PHI).
VeraCrypt’s encryption hasn't been fully compatible with all types of computers, such as certain types of PCs. Additionally, it’s designed to be used on single devices. For HIPAA compliance, it’s best to have a centralized encryption system with administrative features that include remote access and remote encryption capabilities.
Information about VeraCrypt’s HIPAA-compliance effort is limited, so covered entities may want to consider choosing a commercial encryption service instead.
