Health Information Management

Q&A: Encryption levels

HIM-HIPAA Insider, April 17, 2012

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. Can you please explain in an understandable way for nontechnical individuals what level of encryption is needed for email to be considered secure as defined in the interim final breach notification rule?

A. All ePHI, including email, is considered secure if it is secured at a level consistent with the National Institute of Standards and Technology (NIST). Most NIST documents are not easily decipherable to nontechnical individuals. You can use several different standards, such as the Advanced Encryption Standard (AES), to encrypt data transmitted via email.

Secure Socket Layers (SSL) is another approved standard, usually used for website encryption and webmail encryption. If you are encrypting email using AES, SSL, or another NIST approved standard, that’s a good place to start.

The next step is to determine how strong the mathematical algorithm used to protect, or “scramble,” your data is. If the algorithm is less than 128-bit, it is not secure . The larger the number of bits, the stronger the algorithm. A number of vendors and healthcare entities are moving to 256-bit encryption. This exceeds the NIST standard but is worth considering because it better protects any PHI you transmit over the Internet.

The specific NIST standards that address PHI transmitted via email are NIST 800-52, NIST 800-57, and Federal Information Processing Standards 140-2.

For more information, OCR has published guidance in an FAQ that may be helpful regarding what is considered “secure” electronic PHI when transmitted over the Internet or in an email (

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which ran in the April edition of the HCPro, Inc. newsletter, Briefings on HIPAA.


Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular