HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: ePHI in zipped encypted archives

Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q. I realize that when determining whether a breach is reportable, an organization must determine whether the ePHI was secure. However, if a covered entity or business associate uses encryption to secure ePHI contained in zipped encrypted archives that are then sent via email, must the method of encryption be Federal Information Processing Standard compliant to obtain safe harbor?

A. If the zip file is encrypted at the level set by the National Institute of Standards and Technology (NIST) and the password for unencrypting the zip file is not sent in the same email, it falls within the NIST safe harbor. Generally if a file is encrypted at 128 bits, it meets the safe harbor standard. Ensuring that the file compression software used meets the NIST standard is a good idea. If the software does not meet this standard, it may lead to a reportable breach.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.


  1. What if you sent the unencrypted e-mail to the indended recipient? Would this just be a viloation of policy and not a privacy breach under HITECH?

Leave a Reply