HIPAA -- unlike PCI DSS -- does not require explicitly the data at rest encryption, however, the importance of database encryption should not be overlooked. Although data at rest encryption does not provide an ultimate protection, it is – when implemented correctly – an effective barrier against unauthorized internal/external users and hackers who managed to break in to the network (the possibility of both scenarios should not be ignored). No one wants to be included in HSS’s “hall of shame”.