We provide a capture portal (Axway) for people to retrieve HIPAA relegated stuff. However, if a company wants we will setup a TLS connection with them. We have a very short form they have to fill out indicating they have a HIPAA policy regarding handling PHI and have provisions in place to handle data, etc. Once we have that agreement turn it on. It's a very short form. HIPAA is a weird beast because there is not much case law built up about it at this point and no one wants to be the first cases that set precedence :) Steven From: [email protected] To: [email protected] Subject: RE: [BULK] [NTSysADM] RE: is email over SSL same as email encryption? Date: Wed, 23 Apr 2014 23:15:14 -0400
In Jimmy’s scenario, message contents (including username and pwd) password will be encrypted, but only between the client and the service provider. There is no encryption once the messages arrive at the servers, or when they relay (although the original user name and pwd is protected). The data-in-motion and data-at-rest argument mentioned below is worth understanding. At any rate, BlueHost specifically states it is not compliant. https://my.bluehost.com/cgi/help/hipaa I am certainly not a HIPAA expert, but I would probably look at just hosting your email on Office 365 or Google Apps, both of which will provide a BAA letter (a strong but not complete part of HIPAA compliance). Alex Eckelberrywww.eckelberry.comwww.linkedin.com/in/alexeck From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, April 23, 2014 12:11 PM To: [email protected] Subject: RE: [BULK] [NTSysADM] RE: is email over SSL same as email encryption? Not if SMTP is encrypted via SSL or TLS. From: [email protected] [mailto:[email protected]] On Behalf Of Matthew W. Ross Sent: Wednesday, April 23, 2014 12:01 PM To: [email protected] Subject: Re: [BULK] [NTSysADM] RE: is email over SSL same as email encryption? I am no security expert, so forgive my ignorance. I understand that Exchange servers have the ability to encrypt all the "data at rest" on the server, and may well be able to encrypt the data sent to a client using ActiveSync. But, isn't it true that an email, once it leaves the sever via SMTP, is unencrypted? --Matt Ross Ephrata School DistrictMichael B. Smith <[email protected]> , 4/23/2014 8:54 AM:This would be better on the Exchange list. But two concepts come into play. Data-at-rest and data-in-motion. Data-in-motion – in MANY (not even most, just many) modern systems is encrypted using SSL or TLS. If the system is Exchange, then Exchange ensures that all data in transit is always encrypted. Data-at-rest is far more complex and requires a certain level of operational maturity to implement. Lots of third party compliant email systems do this on THEIR servers. But not on yours. Authenticated data-in-motion and authenticated data-at-rest are what you refer to by suggesting “key exchange is required”. Typically, this is S/MIME. And that’s a whole different kettle of fish. From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 11:31 AM To: [email protected] Subject: [NTSysADM] RE: is email over SSL same as email encryption? After doing some more reading, it looks the sender and recipient needs to exchange keys for this to work. To the members here who have to be HIPPA compliant for email, do you mind sharing what you have in place? Do you use a 3rd party to handle this? How do you communicate with users outside your organization and also be compliant? From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 8:19 AM To: [email protected] Subject: [NTSysADM] is email over SSL same as email encryption? I ask this because I have a client who wants to be HIPPA complaint with patient communication. I don’t know much about compliance with email except that the email needs to be encrypted. Currently, they use email hosted by bluehost via imap and over SSL. This just means the connection to bluehost is encrypted, but by the time it hits the patient’s inbox, it is no longer encrypted correct? TIA, Jimmy
