I have been told that governmental healthcare regulations will soon be requiring that my emails to my patients be encrypted for privacy.
- How do I do that? Cant Ent X do that or do I need special software.
- I don't quite understand encryption in that if I encrypt it, how will my patient read it?
There are some really short answers to your questions, but it's a much deeper subject:
- Entourage can't encrypt files natively, to my knowledge, so you'll need an encryption client.
- Your patients will need to have compatible software on their computer to read your encrypted messages, and to send you their encrypted messages.
I'm not familiar with the healthcare regulations, so I don't know if there's an encryption strength standard. If I were a patient receiving medical advice through email, I'd want pretty strong encryption to ensure privacy, and I'd want a digital signature that I could verify and trust.
With that in mind, there are two choices that I'm aware of, and there may be others. One is PGP, once called Pretty Good Privacy. The other is Gnu Privacy Guard, or GPG.
PGP — The only commercial tool that I'm aware of for this is PGP. You can find their web site at <http://www.pgp.com>. Their personal edition works with Entourage, and is available for Windows. (They also have a white paper on their web site about HIPAA.) There's a free version PGP Mail for private, individual home use; that's good news for your patients. Look at their 'Products' page.
GPG — There's a free 'equivalent' of PGP called GPG, or Gnu Privacy Guard. It's also available for Macs and Windows, along with several variants of Unix. GPG can be obtained at <http://www.gnupg.org/(en)/index.html>.
My guess is that the installation of PGP is easier than GPG, but I can't say for sure. PGP and GPG are supposed to be generally interoperable. By interoperable I mean that the pubic and private keys are interchangeable between PGP and GPG, and messages or files encrypted with one can be decrypted with the other, with the exception of the IDEA encryption algorithm. That shouldn't be much of a problem, as there are several other choices for an encryption algorithm.
If you haven't already thought about it, this will require setting up a key management routine. Both you and your patients will need to create key pairs: a public and private key. There's built in key management in the PGP software making key creation pretty easy, and I assume the same is true in GPG as well. But there will be the issue of getting your public key to your patients, and theirs to you, in a trusted way. That can be another discussion.
The PGP web site has several white papers, available from their home page. I highly recommend the one titled "Introduction to Cryptography". Another one that may be of particular interest for you is called "HIPAA Security Rule and PGP Corporation".
Good luck.
James
