Carolyn, That's not wholly accurate. WinZip password-protected files ARE encrypted, using WinZip's proprietary Zip 2.0 encryption algorithm. So, such a technical security mechanism would conform to the letter of the rule that mandates all web-transmissions of PHI be encrypted. However, it is a recognized WEAK encryption system, and it would be extremely difficult to make the case to an enforcement body that employing such a mechanism represents a reasonable application of security controls.
andrew >>> "Price, Carolyn" <[EMAIL PROTECTED]> 09/30/02 04:29pm >>> HIPAA mandates that all transactions sent via the web be encrypted. Since the example you give is NOT encrypted, it is not allowed at all. Carolyn Price -----Original Message----- From: Fify Taslim [mailto:[EMAIL PROTECTED]] Sent: Monday, September 30, 2002 11:40 AM To: '[EMAIL PROTECTED]'; 'business@wed <mailto:'business@wed[i.org'> [i.org'; '[EMAIL PROTECTED]' Subject: Winzip & password and e-mail Hello all, Thank you in advance for all your valuable the responds. I have Privacy issue question today. Is this scenario still HIPAA compliant or not allowed at all? Scenario: sending daily file containing member PHI through e-mail. The file are zipped [Winzip]and password protected, and no encryption were done. Any suggestion/recommendation to HIPAA compliance are welcome. Regards, Fify Taslim, MD, MBA Care1st Health Plan Compliance Specialist/HIPAA Coordinator Ph. (626) 299-4299 ex.376 Fx. (626) 628-3263 E-mail: [EMAIL PROTECTED] To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.