[ Tuesday, February 15, 2005 ]


NOT Live-Blogging HIMSS: I had hoped to spend yesterday afternoon and today over at the Health Information Management Systems Society annual confab, which is here in Dallas, but my 4-year-old has learned to share and gave her her virus. So I'm home with some sort of cold/fever/throat and chest congestion bug that is more anoying than anything else. And, I've got to give a HIPAA Security Rule speech to the Dallas Bar Association Health Law Section tomorrow at lunch. Hopefully I can make it. . . .

Anyway, I've been meaning to post a few of the things that've stacked up here on HIPAA matters, but haven't really had the time to get my thoughts together. So, I decided to just start shooting out stream-of-consciousness style information that has been bouncing around in my seemingly-increasingly-empty brain. Who's afraid of Virginia Wolfe? Also, I'm a little feverish, so if none of this makes sense, that's probably why.

Email. That's a big HIPAA Security question mark. The Security Rule has a heading for ePHI transmission security, so it is certainly something that needs to be addressed in your Risk Assessment. However, encryption of ePHI, either in transit or at rest, is not required. It is addressable, but is not required. Period. Even for email over the internet: not required. By the way, did I mention that internet e-mail encryption is not required?

Of course, you may do your risk assessment and determine that your organization will not email any information outside the entity's firewall unless it is encrypted. Many, many people in the tech community say you simply must encrypt email sent over the internet, because it is insecure. Of course, it's just as insecure as mail sent in a sealed envelope, or a phone transmission over a phone line. And I put this offer/challenge out to the AHLA listserv, and will put it out here as well:

I think the hysteria over the "insecurity" of internet email is based on the fact that nobody knows what route a packet of information is going to take going from one email box to another over the internet. It could take a million different routes over the millions of routers and servers on the internet, and the possibility exists that someone could catch the message as it passed through a particular router or server. O have 2 analogies for this. First, consider the "insecurity" of having your keys in your car with the car unlocked (and the ignition turned on, too). Would you believe that it happens millions of times a day, people leave their cars turned on, with the keys in, and the doors unlocked? How very, very unsafe. Of course, most of the times when this happens, the owner is in the car, usually driving. Isn't an internet email in transit like an unlocked car on the highway - someone could take the car, but they'd have to get into it while it was moving. Intercepting an email on the internet is like catching an arrow out of the air; theoretically possible, but really, really unlikely.

Should you encrypt email you send over the internet? You certainly should consider it, but it is not required (I did mention that, didn't I?). Should you encrypt email you send over your intranet, behind your firewall? The risk of outside interception is really small, but to the extent you want to keep internal eyes off of information they don't have a role-based need to access, it might be appropriate. This is the only really good argument I can think of for internet email encryption: keeping the information protected if it is accidentally sent to the wrong email address. Of course, you could just make sure you don't send to the wrong email address; only send out external emails to verified addresses, or as return mail to patients requesting information. Try to convince your patients and trading partners to use simple encryption, but if they won't or can't, and your staff can't spend the time teaching and reteaching it to patients. I don't know if you should bother.

If you don't encrypt ePHI at rest behind your firewall, do you need to encrypt ePHI in transit behind your firewall? Again, the good reason for doing so is if you have a large organization with multiple layers of "need to know" or some other risk factors that militate for protection against the inadvertent disclosure to the wrong in-house party.

More later. I need some Tylenol.

Jeff [11:46 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template