Again, I am no HIPAA expert, but most legislation in this respect is about transmitting data as a business. If a customer requests something, I don't believe it is generally held to the same standards and this certainly is an approach that auditors have been more than happy with in the past. What you must not do is send the patients data to a 3rd party unencrypted under any circumstances. Whether it's Hotmail or not isn't particularly relevant - some businesses use free email as their work addresses. You'd do a security assessment on them as with any other business (yes, it's not really a very good indicator!!). Due diligence is key. Back to the issue - customer requests something in a particular way ... make them aware of the issues and give them the choice. Really it sounds like the best "enterprise" solution would be to have a secure web portal, but that brings in a whole bucket-load of Internet facing risk too so unless you can do it right, don't do it at all! Talk to your auditors .... a P.S. beware of "password protected" files. It's usually absolutely trivial to break such schemes. Proper encryption should be used in all cases with a respected product (eg. PGP, etc.).
________________________________ From: James Kerr [mailto:[email protected]] Sent: 14 May 2010 22:36 To: NT System Admin Issues Subject: Re: HIPAA Question Well what if you encrypted the data? ie: password protected zip file, then I dont believe you have a violation. ----- Original Message ----- From: Jeff Brown <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Friday, May 14, 2010 5:30 PM Subject: Re: HIPAA Question I thought the hotmail reference was a total joke. protecting information, not having ID put together with personal medical information is only part of the equation. It is a violation to send pki over the internet CLEAR TEXT, which I believe anything sent to or from a hotmail account would fall into that category, so no matter what you did to secure the identity of the recipient, its still a violation, right? ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
