I think we're all agree that the legal risks are not entirely known, nor the standard HHS will use to determine "reasonableness". You have zeroed in on the key salient point: oversight. You can't reasonably do it, and your users won't regulate their own activity without assistance.
We've seen hundreds of CEs in your position, and the switching cost is the real problem. Going from workstation-installed encryption with no PHI filter to server-based encryption with a PHI filter -- if it comes down to having to make that migration -- is incredibly expensive. Even with a workstation-based system, messages will be unavailable to the rest of your infrastructure (archiving, anti-virus, anti-spam) in a "clear text" format.
I hope this helps.
--
Sean Steele
National Account Manager, Tovaris
[EMAIL PROTECTED]
v 202.270.8672
Michael O'Gorman wrote:
This may have been addressed and I missed it. As a health plan/TPA:
Would this solution cover our legal risk for HIPAA:
An email encryption software that we install on each computer that the users HAVE to choose to encrypt when they feel necessary. If we give them the software solution, but they choose not to encrypt or they forget to encrypt and PHI still goes out unsecure, and there is no "smart server" in the background watching for PHI content to remedy when the users neglect to encrypt, are we compliant? Have we taken reasonable measures?
OR
Do we have to have a server that watches email content in addition to allowing the users to choose to encrypt, and when it sees PHI, it encrypts for them making their oversight a non-issue.
Thanks
Mike O'Gorman
HPS Paradigm
912-350-6710
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
--- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
