Corporate Compliance

HIPAA Q&A: Email encryption advice for technology novices

Compliance Monitor, March 28, 2012

Q. Please explain the level of encryption necessary to email to be considered secured as required by the interim final breach notification rule.

A. All ePHI, including email, is considered secure if it is secured at a level consistent with National Institute of Standards and Technology (NIST) standards. Most documents that meet these standards are not easily decipherable to nontechnical individuals. Several different standards may be used to encrypt data transmitted via email. One common approved standard is the Advanced Encryption Standard (AES). A second, usually used for website encryption and webmail encryption, is Secure Socket Layers (SSL). Encrypting email with AES, SSL, or another NIST approved standard is a good place to start.

Determining the strength of the mathematical algorithm used to protect or “scramble” your data is the next step. If the algorithm is less than 128-bit, your data is not secure. The larger the number of bits, the stronger the algorithm is. Some vendors and healthcare entities are transitioning to 256-bit encryption. This exceeds the NIST standard, but it is worth considering because it provides better protection for any PHI you transmit via the Internet.

The specific NIST standards that address PHI transmitted via ¬email are NIST ¬800-52, NIST 800-57, and Federal ¬Information Processing Standards 140-2.

The OCR explains the necessary protections for ePHI transmitted via the Internet or email in an FAQ at http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.