To be removed from this list, please email [EMAIL PROTECTED]
X-ListVersion: 5
X-ListMember: archive@jab.org [[EMAIL PROTECTED]]

Deborah,

This is an extremely tricky issue that requires significant analysis before
even identifying an appropriate technical security mechanism.  As many
others on the listserv have noted, there are many encryption products
available to do the message scrambling for privacy and signature
hashing for non-repudiation.  However, the issue of sending any kind of
PHI over a public network (whether using email, FTP, or some other
transfer mechanism) presents myriad concerns.

HIPAA is also not the only regulation or standard that comes into play on
this subject.  HCFA has a well-defined internet security policy that
specifies cryptographic standards and so forth for any transmission of
medical information over a public network.

If your only concern is message confidentiality, then perhaps a
browser-based interface to a secured web server (using transport layer
security or SSL) using some strong form of authentication is the best
solution (the Apache/Tomcat web server-crypto package is an excellent,
freely-available choice for such a configuration).  If you are also
concerned about message integrity (i.e., assurance that the message
has not changed during delivery)  and non-repudiation (assurance that
the message came from the identified source), however, this won't cut it.
 In these cases, some kind of public key cryptosystem would be
required, and this presents a huge array of problems, chiefly key
management.  I, personally, would not want to take on the task of
managing keys and digital certificates for our patient population.  Further,
the market for enterprise PKI systems (from such vendors as RSA, NAI,
Baltimore, Entrust, et al.) is extremely immature and largely unproven -
not to mention bloody expensive!!  basically, you're either going to have to
spend a lot of money and resources, or accept the fact that your
technical security is going to be suboptimal (username/password
authentication to a secure web server or mail server is certainly not the
best choice for secure transmission of PHI, especially when you have no
control over the equipment at the receiving end).

I would recommend starting with a functional requirements analysis,
followed by a risk analysis:  identify and document (in policy) the types
of information and circumstances under which such info will be sent to
patients/members; if you'll be sending and receiving confidential emails,
define who is authorized to see such information on your side; develop
an authorization for patients to read and sign; define procedures for
securely maintaining a list of email addresses and ensuring that they are
accurate (to protect against information leakage and ensure the email
address will not be used for any other purpose than that to which the
patient agreed in the auth - e.g., stear clear of use for marketing or
solicitation); develop a standards document to give to patients, including
such information as rules for email use, expected response times, etc.;
ensure that all emails received from patients regarding or containing PHI
are stored in the medical record; and so on and so on...

You can live with a suboptimal technical security mechanism (IMHO) if
you can demonstrate that your organization has taken all reasonable
steps to analyze risk, define apporpriate use, and audit the process
regularly.  There is a huge amount of risk involved (primarily data
leakage, but also integrity and repudiation issues, timeliness of
delivery/response, as well as the fundamental limitations of email as a
communication mechanism [e.g., can be easily misinterpreted, etc.]) in
communicating PHI via email.

As with all the HIPAA rules, the litmus test is whether you have taken all
reasonable steps to assure confidentiality and integrity are protected,
and are these steps documented (in policy, procedure, audit
requirements, etc.).  There WILL be breakdowns in the system at some
point.  You can help limit your liability, however, by conduting such risk
analysis and cdocumenting policies, standards, and procedures.

Two great resources I would recommend for research are:

Journal of AHIMA practice brief on email security -
http://www.ahima.org/journal/pb/00.02.html

Natinal Institute of Standards and Technology (NIST) Guidelines on
Electronic Mail Security (which I believe is a mapped standard in the
Security NPRM) -
http://csrc.nist.gov/publications/drafts/PP-ElectronicMailSecurity-RFC.pdf

Also, www.hipaaadvisory.com has its own content, and links to other
content, on this issue.

I know this was incredibly longwinded, but hope it helps!!

Andrew McLetchie, CISSP
Information Security Analyst
Sparrow Health System
Lansing, MI

>>> Deborah Campbell <[EMAIL PROTECTED]> 08/27/02
12:48pm >>>
I'm new to this lsitserve, so please forgive if this has been covered.

I'm not in the technical arena, although I am my company's privacy
officer.
And I'm learning a great deal about encryption at the moment.

Here's my question.....If, in order to send an encrypted email both the
sender and the receiver must have software to unencrypt (or encrypt),
how
can we send PHI via email to members/subscribers? Very few members
would
have such software. How are you handling emailing patients, members,
etc?

Thank you,
Deborah Campbell
Compliance Coordinator

Dominion Dental Services, Inc.
115 South Union Street, Suite 300
Alexandria, Virginia 22314

Phn: (703) 518-5000 ext. 3035
Fax: (703) 518-8849
Toll Free:  888-518-5338
Email: [EMAIL PROTECTED]

*******************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee.  Access to this email by anyone
else is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it is prohibited
and may be unlawful.
*********************************************************************





<P>The WEDI SNIP listserv to which you are subscribed is not
moderated.  The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI
Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.


<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to