From Q&A on ActiveRecord encryption: if you can avoid storing sensitive data on your own, do — use a specialized third-party EHR or similar system that holds patient/PII records and keep only metadata in your app. If you must store it, encryption is mandatory.