This
has yet to be decided. The safest
approach is to go ahead and encrypt now.
The
Security NPRM contradicts itself.
On the one hand, it considers a dial-up line to be an open network and,
thus, requires encryption.
On the
other hand, it states that it may not be an open network for small, rural
providers.
Hopefully,
the Security Final Rule, when published, will clarify these
points.
See
the Security NPRM p43255
“When using open networks, some form of
encryption should be employed. The utilization of less open systems/networks
such as those provided by a value-added network (VAN) or privatewire
arrangement provides sufficient access controls to allow encryption to be an
optional feature. These controls would be important because of the potential
for compromise of information over open systems such as the Internet or
dial-in lines.”
See
also the Security NPRM p43256
“If this provider chooses to use the
Internet to transmit or receive health information, some form of encryption
must be used. For example, the provider could procure and use commercial
software to provide protection against unauthorized access to the data
transmitted or received. (This decision must take into account what encryption
system the message recipient uses.) On the other hand, health information when
transmitted via other means such as VANs, private wires, or even dial-up
connections may not require such absolute protection as is provided by
encryption.”
Tom Drinkard
EDIT
(678) 795-1251 (voice)
(678) 795-1575 (fax)
[EMAIL PROTECTED]
-----Original
Message-----
From: Jim Turner
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 26, 2001 4:04
PM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Us
of Dial up Modems without encryption
Does
anyone know if the use of dial up modems without encryption is going to be
acceptable for sending and receiving transactions on Oct 2002. The
security preamble implies it may not be acceptable. Point to point phone
conversations can communicate PHI why not point to point modem
communication?
Jim
Turner
HIPAA
Provider Relations
Blue
Cross/Blue Shield of Hawaii
808-948-6445
This
electronic message is intended only for the individual or entity to which it
is addressed and may contain information that is confidential and protected by
law. If you are not the intended recipient of this e-mail, you are cautioned
that use of its contents in any way is prohibited and may be unlawful. If you
have received this communication in error, please notify the sender
immediately by e-mail or telephone and return the original message by e-mail
to the sender or to [EMAIL PROTECTED] We will reimburse you for any cost
you incur in notifying us of the errant e-mail. Thank
you.
**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.
