Do not confuse digital certificates with encryption. "Signing" an email using MS Digital Certificates does not encrypt anything. It only "authenticates" the sender to the receipient -- an only in those cases in which the receipient has the software to do so. If you are "signing" your email using MS Outlook/Exchange, anyone can read the e-mail, they just may not be able to read the certificate to authenticate the e-mail. Again, this is not being encrypted.
It is possible that Exchange is deployed to use S/MIME encryption, but it is by no means the default and not everyone can read the e-mail. The best way to communicate with patients in a secure manner, if you choose to implement encryption, is through a secure messaging system. Jeff Jeff Kerber Director, HIPAA Compliance Texoma Healthcare System 903-416-5520 -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2003 2:55 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: E-mail Microsoft Exchange Server Craig, technology questions regarding security implementations might better be directed to the WEDI SNIP Security Workgroup List. But in any case, you already have practically everything you need to implement secure messaging among and between your therapists. Encryption is a standard feature built-in to your e-mail client software, such as Outlook and Outlook Express, without the need for new licenses or modifying your Exchange Server configuration. Actually, I believe Exchange Server does have the capability for generating digital IDs for each of your e-mail accounts. This saves you the hassle of dealing with Third Party Certificate Authorities (CAs) like Verisign or Thawte for obtaining digital IDs (X.509 certificates). Encryption is of primary importance, which will be available with either CA generated or self-signed certificates. You can easily live without authentication (because each of your employees recognize legitimate e-mails from their colleagues). But you can generate your own certificates with the company recognized as the "certificate authority" by all of the e-mail clients. I communicate regularly using encrypted e-mail with colleagues within and without Novannet - each of us uses standard e-mail clients like Outlook or Outlook Express and we haven't spent a dime for this capability. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Craig Moen" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Tuesday, 04 March, 2003 02:29 PM Subject: E-mail Microsoft Exchange Server We are a home health agency that provides PT, OT and ST. We communicate regularly with our therapists via e-mail. Patient's summary of progress etc are exchanged and then we copy and paste to a document that we send to the physician. Currently for patient confidentiality we have the therapist de-indentify information in e-mail by removing patient name and using only initials(no address other identiying info is on this document.) During our risk analysis we determined that this is a potential risk in patient privacy because a therapist could inadvertently include the full patient name. With the cost of an additional exchange server(as our e-mail is handled externally at this point) is this "reasonable" to continue as we are without encyption? Any inexpensive alternatives?? If not, does any one have any comments about Microsoft Exchange Server, where each of our staff would have there own e-mail address and we would encrypt by default. We are struggling with "reasonable" because of the cost of the product and the number of licenses we would need to acquire Thanks for your opinion and helpful comments! Craig Moen, MPT Director of Rehabilitation THERAPY 2000 214-467-9787 office 214-741-3655 fax [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately and delete the material from any computer. Do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
