[ Tuesday, August 17, 2004 ]
When you're e-mailing PHI, when do you need to encrypt it? That's the question that the AHLA health information technology listserv has been wrestling with over the last few days. The ultimate answer is that it depends. Encryption is not a required element under the Security Rule, but it is an addressable one, so if you e-mail PHI, you need to have considered whether you need to encrypt, and document your decision.
Obviously, the specifics of your situation will dictate whether you need to encrypt. Sending PHI over an insecure network, especially generally e-mailing over the internet, is a lot different than sending e-mail over a closed network within a healthcare provider like a hospital. In addition to the level of security of the network, the level of confidence that no one but the intended recipient will receive the e-mail will impact the decision to encrypt.
Many HIPAAcrats believe that encryption is required if PHI is sent over the internet. Not so, says one of the Security Rule's original drafters, John Parmigiani. Encryption is an addressable issue, so deciding not to encrypt isn't necessarily a wrong decision, if you've done your risk analysis and (reasonably) determined that, given the circumstances, encryption isn't a necessary part of your risk management scheme. John gave as an example provider-patient e-mail communication where the patient has agreed to receive unencrypted e-mail because of lack of technical expertise or lack of concern over the risk of improper access. Obviously, where the patient-physician relationship is close and the patient is informed of but not particularly concerned about the security risks of over-the-internet e-mail, let 'er rip!
Two things worth emphasizing: even though most HIPAAcrats will say you must use encryption for internet transmissions, encryption is still an addressable item and just because everyone says it's so doesn't mean it's so; and the key to Security Rule compliance is still going through your processes and systems and checking off how you will comply with the required elements and how you will address the addressable ones (i.e., risk analysis and risk management).
Jeff [10:56 PM]
Blogger: HIPAA Blog - Edit your Template