[dcdanko]

Both would be illegal* since your keys are info that could deanonymize patient data. However, you would be allowed to store them on your own PC if you follow proper procedures.

This is more important than it might seem from a purely tech perspective. HIPAA is partly designed to guard against 1) improper use of encryption 2) downstream contractors who are malicious or careless

The one-time pad is probably fine but it's easy to imagine lesser encryption being broken (especially by bugs). This problem gets much worse once PHI is stored on a medium, like a blockchain, where it can never be taken down. After all you probably wouldn't be happy if your health data was on the internet protected only by SHA1.

There are probably better solutions to all of these issues but HIPAA is intentionally conservative. In many respects HIPAA is a financial, not a technical, law.

* HIPAA doesn't make improper storage illegal in the sense that you go to jail if you do it wrong. It exposes people who handle data improperly to massive fines, usually when actual breaches occur. This is part of why BAAs are so important.