Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org  and we will work with our experts to provide the information you need.
Q. I realize that when determining whether a breach is reportable, an organization must determine whether the ePHI was secure. However, if a covered entity or business associate uses encryption to secure ePHI contained in zipped encrypted archives that are then sent via email, must the method of encryption be Federal Information Processing Standard compliant to obtain safe harbor?
A. If the zip file is encrypted at the level set by the National Institute of Standards and Technology (NIST) and the password for unencrypting the zip file is not sent in the same email, it falls within the NIST safe harbor. Generally if a file is encrypted at 128 bits, it meets the safe harbor standard. Ensuring that the file compression software used meets the NIST standard is a good idea. If the software does not meet this standard, it may lead to a reportable breach.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA.  This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.