• E-mail
• Print
• RSS

Ask the expert: What level of security is necessary to comply with HIPAA when transmitting patient information electronically (i.e., via the Web, through e-mail, etc.)?

HIM Connection, December 4, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

A: It depends on the method used to send the patient information. An organization that transmits the information within its network can send it "clear text" (unencrypted).

The organization may choose the level of security it wishes to apply. The same is true for data transmitted via fax-person-to-person versus computer-to-computer-or sent over direct connections. The answer changes if the organization is sending protected health information (PHI) over an open network (the Internet). Encryption is necessary when organizations send PHI over the Internet or a wireless network.

Different methods of data encryption exist for various communication methods (e.g., secure Web, virtual private network, secure e-mail, etc.). But the bottom line is that encryption is required, and the level of encryption should be at least 128-bit encryption (this represents the strength of the encryption algorithm used). Higher levels of encryption are recommended and readily available.

The organization's rules for remote access and transmission of PHI over the Internet are as important as its encryption of PHI. It is highly advisable to train all remote users to exercise caution and to be aware of their actions and their surroundings. For example, remote users should avoid working with PHI-even when transmitting data securely via a wireless network-if they are in a public setting where a passerby could see PHI displayed on a computer screen.

This Q&A was adapted from the December 2007 issue of Briefings on HIPAA. For more information, visit www.hcpro.com/content/154396.cfm.

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive