I've been pouring over the HHS finalized guidance on acceptable conditions for data encryption of PHI. One interesting section reads:

Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.

Data at rest, meaning the data being stored in a hospital server / datacenter. With one interpretation, given the wide range of technologies and systems out there, this will eliminate in my opinion about 95% of the products out there as valid players. With another interpretation, it provides no additional security at all.

For instance:

Based on the wording I've seen so far, I could use whole-disk encryption to state that health information on my server at rest is stored in an encrypted form and is compliant. However, this only protects the information if the machine is physically stolen - as long as the server is running, an external hacker could get access to everything, because the operating system will be decrypting data on the fly.

But, placing that server in a physically secured location already provides 100% better security that the storage of patient record with relation to physical theft. Hard drive encryption really provides no additional security.