Re: Transmitting Patient Information via Internet (Email)

[Jan Root]

One more point to add (sorry to keep raining on a good idea):  Interoperability has always been a major challenge to doing secure email.  If I buy secure email system X and you buy secure email system Y, can we exchange secure email?  Probably not. The Massachusetts component of HealthKey (the Mass. Health Data Consortia) did an interoperability project for secure email.  I think they started with 6 (5?) secure email vendors, all of which claimed to have implemented the X.509 (v3?) standard.  However, when tested, none of these systems could read each other's email.  This was a couple of years ago so perhaps this problem has been solved, but interoperability is something to consider if you are looking at secure email systems. And then there is the problem of trying to send secure email to someone who doesn't have secure email facilities.  Vendors have come up with clever ways to deal with this, but it is far from being automatic or transparent.  Secure email still seems to be much more difficult than it appears on first blush. Jan Root     [EMAIL PROTECTED] wrote:    Traditional email systems, are very difficult to make secure.  They are subject to numerous potential hazards that affect security and privacy, and thus make them non-compliant.  You will notice changing language in the terms and conditions of some "free" web-based email systems already - declaring their non-HIPAA compliance upfront.The problem with traditional email, is several fold I believe.   First, there is the simple matter of transmission reliability.  Emails are passed through a network of systems, some or all could retain copies of the email - can you get Trusted Party Agreements with each?  No way - you NEVER know what systems touch your emails.  Emails are also not always received.  Other than requesting a "Read Receipt", there is no way to know with a traditional email what ultimately happens to it - take a look at the transmission header info of a few of your own emails and you will begin to see the problem.  Security is a big problem in traditional emails.  You can use "Certificates" or even PGP encrypt them, this may secure the contents, but you still have the network Trust problems.There is however, a solution for this.  There is one company who has developed a new product/service/technology for a full "trusted" email network, with a secure reliable client and server.  It appears fully ready to go and solid.  The company is LOK technology (www.loktech.com).  Their system inherently appears compliant (good enough for the CIA & NSA, former directors of both agencies are on their boards).  In addition, they have a secure file transmission service called LOKvault that would replace the traditional FTP approach so many use.  While, my company does not yet use it for our clients, I have evaluated it and I am strongly pushing its adoption as the standard for all our compliance implementations.  One less issue to worry about.  I would strongly encourage all to look at their website for more info.Regards,Dr. Tim McGuinness, Ph.D.Sr. Compliance Specialist & Solutions ArchitectCertified HIPAA Chief Privacy OfficerDynTek Inc.www.dyntek.com -----Original Message----- From: David Frenkel [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 1:41 PM To: [EMAIL PROTECTED] Subject: RE: Transmitting Patient Information via Internet (Email)       Danae, I have never seen it discussed but it would be interesting to hear people�s responses about requesting verification of an email before PHI sent.For example we are sending information about John Doe, is this facility expecting/requesting information about this person (very high level). There have been a number of high profile cases and we all do it, send emails to the wrong person. Encrypting your emails verifies the data will get to its destination unread but it may be the wrong information. I realize there are no easy answers and my suggestion is full of holes. Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 425-260-5030 -----Original Message----- From: dslowik [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 10:14 AM To: [EMAIL PROTECTED] Subject: FW: Transmitting Patient Information via Internet (Email) What is the standard regarding the transmittal of PHI via email to other providers etc?  If the safeguards are in place (encryption, passwords, confidentiality statements, etc), are facilities encouraging or allowing this?  Any feedback on this would be helpful.  Thank you. Danae Slowik Director of Admissions Alaska Children's Services [EMAIL PROTECTED] ph: (907) 346-2101 ext 200 cell: (907) 301-5824 web:  www.acs.ak.org ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=ivacy and enter your email address.  ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=ivacy and enter your email address. ML> ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.