I am managing development of a platform for health service providers and thus, it houses health information about patients registered. The patient register themselves on the system and maintain their profiles. This system needs to be compliant to HIPAA requirements.
The specifications dictate asymmetric + symmetric encryption for transit or end to end encryption.
I have some questions:
- Can a case be made for added asymmetric + symmetric encryption of data in transit over TLS v1.3?
- Can PHI be stored anonymously somehow so we can analyze it and opt out of explicit encryption? That necessitates handling/control logic of that data to be in client apps.
- Can we have permanently assigned, unchanging asymmetric keys for users? If not, for how long can we have them safely? How do these changing keys work with already encrypted data?