Consider the following corollary:
- The
Security Rule does not proscribe encryption for electronic transmissions of
data. This is an addressable element that must be assessed by the
covered entity. However, as long as the method of transmission is
considered secure (or "good enough"), the covered entity could elect to not
encrypt the data and document that decision as part of their assessment of
Security compliance.
- Under
the Privacy Rule, "conduits" such as USPS, UPS, and FedEx are not required to
sign business associate agreements because they are considered "secure"
conduits for the data they handle. This includes direct modem
connections using POTS lines (Plain Old Telephone
Service).
- Data
sent via secure transmission methodology could be addressed in such a way that
encryption is not required. Conduits are considered secure, therefore,
the covered entity can decide that the data sent/received through
conduits does not need to be encrypted.
- A covered entity may elect to encrypt data sent via conduit but must work with their business associates to make sure they can adequately handle decrypting the data.
Comments?
Thanks,
Thanks,
Mike
McKinlay
McKesson
Confidentiality
Notice: This email message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
--------Original Message-----
From: Dave Weiler [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 04, 2003 1:42 PM
To: WEDI SNIP Privacy Workgroup List
Subject: digital PHI and snail mailAnyone have any information on how privacy/security regs affect digital PHI (on zip disk/CD/DVD) being sent via regular mail and/or UPS or FedEx.
Does the data need to be encrypted?
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
