Bud, We do a lot of HIPPA related networking work and I believe what they may be asking for is a completely encrypted version of e-mail that will allow you to send confidential patient data via e-mail.
Unless you encrypt the actual e-mail message using a KEY, this is not an option. If you encrypt the message with a KEY, then both the SENDER and the RECIPIENT will have to be set up to use the same method of encryption and decryption. All e-mail is sent a plane text between the e-mail servers. Even if you connect between the client and the e-mail server using an SSL level of security, the message itself, once it leaves the mail server to be delivered to the intended destination, will NOT be secure. Our clients are re-certified by the Joint Commission on Accreditation every two years. The issue of HIPPA compliant e-mail has never prevented their re-certification by that commission. According to the link at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2003_register&doci d=fr20fe03-4, which generally covers, "standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers" The only real requirement of e-mail at this time is AUTHENTICATION, and it is clearly stated that this "MAY meet the security standards" "For example, in order to comply with the Privacy Rule requirements to make reasonable efforts to limit the access of members of the work force to specified categories of protected health information, covered entities may implement some of the administrative, physical, and technical safeguards that the entity's risk analysis and assessment would require under the Security Rule. E-mail authentication procedures put into place for privacy protection may also meet the security standards, thereby eliminating the need for additional investments to meet these standards. As a result, covered entities that have moved forward in implementing the privacy standards are also implementing security measures at the same time. Since the proposed security standards proposed rule represents the most authoritative guidance now available on the nature of these standards, some entities have been using them to develop their security measures. Those entities should face minimal incremental costs in implementing the final version of these standards." There's a lot about HIPPA in general that is subject to interpretation. It is not fully implemented yet, but anyone who works in the Health Care industry must make every reasonable effort to protect the confidentiality of patient data. Hope this helps. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bud Durland Sent: Friday, April 23, 2004 08:22 To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] HIPAA complient email system info wrote: > > can anyone tell me if I can make imail HIPAA compliant. and if it can > not can anyone tell me what email system can be used to provide that > type of service or what I can do to make imail compliant. > What is an e-mail system required to do in order to be HIPAA compliant? -- ---------------------------------------------------------------- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 ---------------------------------------------------------------- For sale: Parachute. Like new, used once. Small stain. ---------------------------------------------------------------- To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
