§ 00·0x00/COMPLIANCE / HIPAA
ePHI encryption is heading from optional to mandatory.
A proposed HIPAA Security Rule update would make ePHI encryption mandatory rather than addressable. The rule is not final, but the direction is clear.
CipherStash gives you field-level ePHI encryption, identity-bound access, and a full audit trail on the Postgres you already run.
§ 01·0x01/HOW CIPHERSTASH MAPS
The Security Rule, by construction.
→ 01
ePHI encrypted at the field level.
Patient data is encrypted per value before it reaches your database. The database stores, indexes, and searches ciphertext.
→ 02
Access controls enforced cryptographically.
A clinician decrypts their patients. An analyst sees ciphertext. The requirement is met in the data, not in a policy document.
→ 03
Audit controls by construction.
Every decryption is recorded: who, what, when, from where. Audit controls become a query, not a project.
→ 04
Runs on the stack you already have.
Supabase, Neon, RDS, or any managed Postgres. Your app keeps working while ePHI stays encrypted in use.
§ 02·0x02/NEXT STEPS
HIPAA-ready on the Postgres you already have.
Building on Supabase? Read how CipherStash works with your Supabase project. For your security review, see encryption at rest, in transit, and in use.