No, VeraCrypt isn’t HIPAA compliant. This encryption tool shouldn’t be used for protected health information (PHI).
Data encryption is an essential part of HIPAA compliance, and covered entities must ensure that information is fully encrypted both in transit and when stored. While VeraCrypt provides basic security features, its encryption tool isn’t sufficient for protected health information (PHI).
VeraCrypt’s encryption isn’t fully compatible with all types of computers, such as certain types of PCs. Additionally, it’s designed to be used on single devices. For HIPAA compliance, it’s best to have a centralized encryption system with administrative features that include remote access and remote encryption capabilities.
Because information about VeraCrypt’s HIPAA-compliance effort is limited, and VeraCrypt won’t sign a business associate agreement (BAA), covered entities should choose a commercial encryption service instead.