HIPAA requires that data be encrypted at rest and in transit.  SSL satisfies the in-transit requirement, and the data is stored in encrypted database at rest on our servers.  The plugin double encrypts all the data except for name, email, and phone so that those fields can be used as identifiers that are searchable.  All the other PHI/form data is double encrypted. The data is encrypted before transit and stored in encrypted format in the encrypted database.  This is above the HIPAA requirement.  This means that the actual ePHI, other than the 4 identifier fields, get a second layer of encryption above and beyond what HIPAA requires for added security.