Thanks for that info John.
James
----- Original Message -----
From: John Cook
To: NT System Admin Issues
Sent: Tuesday, May 18, 2010 9:54 AM
Subject: RE: HIPAA Question
As copied from the HHS.gov site -
Must the HIPAA Privacy Rule's minimum necessary standard to be applied
to uses or disclosure that are authorized by an individual?
Answer:
No. Uses and disclosures that are authorized by the individual
are exempt from the minimum necessary requirements.
Does the HIPAA Privacy Rule permit a doctor, laboratory, or other
health care provider to share patient health information for treatment purposes
by fax, e-mail, or over the phone?
Answer:
Yes. The Privacy Rule allows covered health care providers to
share protected health information for treatment purposes without patient
authorization, as long as they use reasonable safeguards when doing so. These
treatment communications may occur orally or in writing, by phone, fax, e-mail,
or otherwise.
Note the statement "reasonable safeguards" - there is no hard and
fast this is what you have to do it all boils down to taking steps to protect
the data. If you can show that reasonable care was taken (as in password
protected docs) you have fulfilled your obligation. It may not be ideal but it
fulfills the intent of the law.
John W. Cook
Systems Administrator
Partnership For Strong Families
315 SE 2nd Ave
Gainesville, Fl 32601
Office (352) 393-2741 x320
Cell (352) 215-6944
Fax (352) 393-2746
MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4
From: Alan Davies [mailto:[email protected]]
Sent: Tuesday, May 18, 2010 4:37 AM
To: NT System Admin Issues
Subject: RE: HIPAA Question
Again, I am no HIPAA expert, but most legislation in this respect is about
transmitting data as a business. If a customer requests something, I don't
believe it is generally held to the same standards and this certainly is an
approach that auditors have been more than happy with in the past.
What you must not do is send the patients data to a 3rd party unencrypted
under any circumstances. Whether it's Hotmail or not isn't particularly
relevant - some businesses use free email as their work addresses. You'd do a
security assessment on them as with any other business (yes, it's not really a
very good indicator!!). Due diligence is key.
Back to the issue - customer requests something in a particular way ... make
them aware of the issues and give them the choice. Really it sounds like the
best "enterprise" solution would be to have a secure web portal, but that
brings in a whole bucket-load of Internet facing risk too so unless you can do
it right, don't do it at all! Talk to your auditors ....
a
P.S. beware of "password protected" files. It's usually absolutely trivial
to break such schemes. Proper encryption should be used in all cases with a
respected product (eg. PGP, etc.).
------------------------------------------------------------------------------
From: James Kerr [mailto:[email protected]]
Sent: 14 May 2010 22:36
To: NT System Admin Issues
Subject: Re: HIPAA Question
Well what if you encrypted the data? ie: password protected zip file, then I
dont believe you have a violation.
----- Original Message -----
From: Jeff Brown
To: NT System Admin Issues
Sent: Friday, May 14, 2010 5:30 PM
Subject: Re: HIPAA Question
I thought the hotmail reference was a total joke. protecting information,
not having ID put together with personal medical information is only part of
the equation. It is a violation to send pki over the internet CLEAR TEXT,
which I believe anything sent to or from a hotmail account would fall into that
category, so no matter what you did to secure the identity of the recipient,
its still a violation, right?
************************************************************************************
WARNING:
The information in this email and any attachments is confidential and may be
legally privileged.
If you are not the named addressee, you must not use, copy or disclose this
email (including any attachments) or the information in it save to the named
addressee nor take any action in reliance on it. If you receive this email or
any attachments in error, please notify the sender immediately and then delete
the same and any copies.
"CLS Services Ltd × Registered in England No 4132704 × Registered Office:
Exchange Tower × One Harbour Exchange Square × London E14 9GE"
------------------------------------------------------------------------------
CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
attached to or with this Notice is intended only for the person or entity to
which it is addressed and may contain Protected Health Information (PHI),
confidential and/or privileged material. Any review, transmission,
dissemination, or other use of, and taking any action in reliance upon this
information by persons or entities other than the intended recipient without
the express written consent of the sender are prohibited. This information may
be protected by the Health Insurance Portability and Accountability Act of 1996
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really
need to.
This email and any attached files are confidential and intended solely for
the intended recipient(s). If you are not the named recipient you should not
read, distribute, copy or alter this email. Any views or opinions expressed in
this email are those of the author and do not represent those of the company.
Warning: Although precautions have been taken to make sure no viruses are
present in this email, the company cannot accept responsibility for any loss or
damage that arise from the use of this email or attachments.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
