Health Information Management

HIPAA Q&A: Level of encryption needed for email

HIM-HIPAA Insider, June 11, 2012

A. All ePHI, including email, is considered secure if it is secured at a level consistent with the National Institute of Standards and Technology (NIST). Most NIST documents are not easily decipherable to nontechnical individuals. Several different standards can be used to encrypt data transmitted via email. One common approved standard is the Advanced Encryption Standard (AES). A second, usually used for website encryption and webmail encryption, is Secure Socket Layers (SSL). Encrypting your email with AES or SSL, or another NIST approved standard, is a good place to start.

The next step is determining the strengthof the mathematical algorithm used to protect, or scramble your data. An algorithm less than 128-bit is not secure. The grater the number of bits, the stronger the algorithm is. Many vendors and healthcare entities are transitioning to 256-bit encryption. This exceeds the NIST standard, but is worth considering because it provides better protection to any PHI you transmit via the Internet.

The specific NIST standards that address PHI transmitted via ­email are NIST ­800-52, NIST 800-57, and ­Federal ­Information Processing Standards 140-2.

OCR guidance published in an FAQ may be helpful with respect to understanding what is considered “secure” electronic PHI when transmitted via the Internet or email.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May
Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Most Popular