To be removed from this list, please email [EMAIL PROTECTED] X-ListVersion: 5 X-ListMember: archive@jab.org [[EMAIL PROTECTED]]
Deborah, This is an extremely tricky issue that requires significant analysis before even identifying an appropriate technical security mechanism. As many others on the listserv have noted, there are many encryption products available to do the message scrambling for privacy and signature hashing for non-repudiation. However, the issue of sending any kind of PHI over a public network (whether using email, FTP, or some other transfer mechanism) presents myriad concerns. HIPAA is also not the only regulation or standard that comes into play on this subject. HCFA has a well-defined internet security policy that specifies cryptographic standards and so forth for any transmission of medical information over a public network. If your only concern is message confidentiality, then perhaps a browser-based interface to a secured web server (using transport layer security or SSL) using some strong form of authentication is the best solution (the Apache/Tomcat web server-crypto package is an excellent, freely-available choice for such a configuration). If you are also concerned about message integrity (i.e., assurance that the message has not changed during delivery) and non-repudiation (assurance that the message came from the identified source), however, this won't cut it. In these cases, some kind of public key cryptosystem would be required, and this presents a huge array of problems, chiefly key management. I, personally, would not want to take on the task of managing keys and digital certificates for our patient population. Further, the market for enterprise PKI systems (from such vendors as RSA, NAI, Baltimore, Entrust, et al.) is extremely immature and largely unproven - not to mention bloody expensive!! basically, you're either going to have to spend a lot of money and resources, or accept the fact that your technical security is going to be suboptimal (username/password authentication to a secure web server or mail server is certainly not the best choice for secure transmission of PHI, especially when you have no control over the equipment at the receiving end). I would recommend starting with a functional requirements analysis, followed by a risk analysis: identify and document (in policy) the types of information and circumstances under which such info will be sent to patients/members; if you'll be sending and receiving confidential emails, define who is authorized to see such information on your side; develop an authorization for patients to read and sign; define procedures for securely maintaining a list of email addresses and ensuring that they are accurate (to protect against information leakage and ensure the email address will not be used for any other purpose than that to which the patient agreed in the auth - e.g., stear clear of use for marketing or solicitation); develop a standards document to give to patients, including such information as rules for email use, expected response times, etc.; ensure that all emails received from patients regarding or containing PHI are stored in the medical record; and so on and so on... You can live with a suboptimal technical security mechanism (IMHO) if you can demonstrate that your organization has taken all reasonable steps to analyze risk, define apporpriate use, and audit the process regularly. There is a huge amount of risk involved (primarily data leakage, but also integrity and repudiation issues, timeliness of delivery/response, as well as the fundamental limitations of email as a communication mechanism [e.g., can be easily misinterpreted, etc.]) in communicating PHI via email. As with all the HIPAA rules, the litmus test is whether you have taken all reasonable steps to assure confidentiality and integrity are protected, and are these steps documented (in policy, procedure, audit requirements, etc.). There WILL be breakdowns in the system at some point. You can help limit your liability, however, by conduting such risk analysis and cdocumenting policies, standards, and procedures. Two great resources I would recommend for research are: Journal of AHIMA practice brief on email security - http://www.ahima.org/journal/pb/00.02.html Natinal Institute of Standards and Technology (NIST) Guidelines on Electronic Mail Security (which I believe is a mapped standard in the Security NPRM) - http://csrc.nist.gov/publications/drafts/PP-ElectronicMailSecurity-RFC.pdf Also, www.hipaaadvisory.com has its own content, and links to other content, on this issue. I know this was incredibly longwinded, but hope it helps!! Andrew McLetchie, CISSP Information Security Analyst Sparrow Health System Lansing, MI >>> Deborah Campbell <[EMAIL PROTECTED]> 08/27/02 12:48pm >>> I'm new to this lsitserve, so please forgive if this has been covered. I'm not in the technical arena, although I am my company's privacy officer. And I'm learning a great deal about encryption at the moment. Here's my question.....If, in order to send an encrypted email both the sender and the receiver must have software to unencrypt (or encrypt), how can we send PHI via email to members/subscribers? Very few members would have such software. How are you handling emailing patients, members, etc? Thank you, Deborah Campbell Compliance Coordinator Dominion Dental Services, Inc. 115 South Union Street, Suite 300 Alexandria, Virginia 22314 Phn: (703) 518-5000 ext. 3035 Fax: (703) 518-8849 Toll Free: 888-518-5338 Email: [EMAIL PROTECTED] ******************************************* The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. ********************************************************************* <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.