As copied from the HHS.gov site - Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual? Answer: No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements.
Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone? Answer: Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise. Note the statement "reasonable safeguards" - there is no hard and fast this is what you have to do it all boils down to taking steps to protect the data. If you can show that reasonable care was taken (as in password protected docs) you have fulfilled your obligation. It may not be ideal but it fulfills the intent of the law. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 From: Alan Davies [mailto:[email protected]] Sent: Tuesday, May 18, 2010 4:37 AM To: NT System Admin Issues Subject: RE: HIPAA Question Again, I am no HIPAA expert, but most legislation in this respect is about transmitting data as a business. If a customer requests something, I don't believe it is generally held to the same standards and this certainly is an approach that auditors have been more than happy with in the past. What you must not do is send the patients data to a 3rd party unencrypted under any circumstances. Whether it's Hotmail or not isn't particularly relevant - some businesses use free email as their work addresses. You'd do a security assessment on them as with any other business (yes, it's not really a very good indicator!!). Due diligence is key. Back to the issue - customer requests something in a particular way ... make them aware of the issues and give them the choice. Really it sounds like the best "enterprise" solution would be to have a secure web portal, but that brings in a whole bucket-load of Internet facing risk too so unless you can do it right, don't do it at all! Talk to your auditors .... a P.S. beware of "password protected" files. It's usually absolutely trivial to break such schemes. Proper encryption should be used in all cases with a respected product (eg. PGP, etc.). ________________________________ From: James Kerr [mailto:[email protected]] Sent: 14 May 2010 22:36 To: NT System Admin Issues Subject: Re: HIPAA Question Well what if you encrypted the data? ie: password protected zip file, then I dont believe you have a violation. ----- Original Message ----- From: Jeff Brown<mailto:[email protected]> To: NT System Admin Issues<mailto:[email protected]> Sent: Friday, May 14, 2010 5:30 PM Subject: Re: HIPAA Question I thought the hotmail reference was a total joke. protecting information, not having ID put together with personal medical information is only part of the equation. It is a violation to send pki over the internet CLEAR TEXT, which I believe anything sent to or from a hotmail account would fall into that category, so no matter what you did to secure the identity of the recipient, its still a violation, right? ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
