It looks to me like FileVault 2 uses AES 256 bit encryption for the desk. Does that mean that it meets the HIPAA "data at rest" standard? Is there something else I need to check about it?

  • 135
  • 5

1 Answers1


Yes, full-disk encryption using AES-256 would be considered HIPAA compliant encryption. It is so because it is a FIPS 140-2 compliant cipher, and data encrypted with FIPS 140-2 cipers is considered "encrypted" under the HIPAA Security Rule.

As to whether this qualifies as good enough for "data at rest," that is up to your organization's interpretation of this seemingly ambiguous section of the HIPAA act.

Full disk encryption is a measure to help physical security. "Data at rest" can be interpreted to mean both the physical layer (in this case, if someone steals the Mac, the data would not be available as it's encrypted) as well as the availability of the actual data files sitting on a disk.

For example some organizations might consider databases backups sitting idle on a disk "data at rest" and would choose to encrypt these files with a password, e.g. using 7zip with AES-256. Some organizations might consider full-disk encryption enough for the "data at rest" standard.

This is an area of much debate when it comes to the HIPAA security rule. If you're concerned having files on a computer not encrypted with a password or PGP key etc might be a risk, it is best to err on the side of encryption. Under HIPAA, if encrypted data is compromised this need not trigger reporting/breach disclosure requirements, since the data could be assumed inaccessible to third parties. If non-encrypted data is compromised, and this includes hackers with malware taking files off an online computer that does have full disk encryption enabled; then this will trigger reporting requirements. It's up to you to weigh the risk.

Herringbone Cat
  • 4,242
  • 15
  • 19