• E-mail
• Print
• RSS

Under HIPAA, can we e-mail patient information outside of our health care organization?

HIPAA Weekly Advisor, October 8, 2001

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Under HIPAA, can we e-mail patient information outside of our health care organization?

A: The HIPAA proposed rule on security does not prohibit the use of e-mail. It is covered under the section, of "Data in transit," which specifies the use of encryption and access controls. Refer to the earlier guidelines published by the Centers for Medicare and Medicaid Services (CMS), formerly HCFA, on Internet Security Policy (http://www.hcfa.gov).

Before sending e-mail, providers should consider the nature of the information being sent, the purpose for sending it, and whether it is necessary to use the Internet to transmit the information. Because the Internet is an "open" network, information can be intercepted by the wrong party if the proper precautions aren't taken. The following are different secure approaches using the Internet that meet HIPAA requirements:

• Encrypted e-mail
• Virtual private networks (VPNs)
• Secure messaging

Encryption uses a software algorithm to produce cyphertext from plain text. Once encrypted, it can be transmitted securely by e-mail. Public key infrastructure (PKI) allows the user to send encrypted messages through a certificate authority, which are then decrypted by the receiver.

PKI can be used to secure and support Web-based systems, VPNs, and secure e-mail communication. There are a number of encryption products that allow one to encrypt e-mail before sending and to decrypt messages after receiving them. The process can be simple or extremely complex depending on how the public and private keys that are used to encrypt and decrypt messages are stored.

For instance, I use a product that encrypts any e-mail I send by storing a private key on my personal computer. The public key is stored on the vendor's server, and is accessible only to the person to whom I send the e-mail.

You can also add digital signatures, which guarantee the identity of the sender. Keep in mind that encrypted e-mail cannot be adequately scanned for viruses, so files must be decrypted before they are scanned.

VPNs were discussed in August's BOH as a consideration for "secure" telecommuting. There are two types-site to site, which securely links one site to another through the Internet by a encrypted "tunnel" between the two sites, and remote access, which enables telecommuters and remote employees to securely access the corporate network through the Internet.

Another secure approach is to notify the receiver that the information is waiting for them in a secure Web location accessible only by them. If you are sending messages to and receiving messages from the same party, you can set up as a secure encrypted messaging environment on the Web to post and receive messages.

Encryption can be very complicated. I recommend that any organization conduct a thorough assessment of its e-mail and security requirements before selecting any products.

Editor's note: Excerpted from the October 2001 issue of Briefings on HIPAA. Answered by Jon Bogen, president of HealthCIO Inc. in Duxbury, MA. If you have a question for him, write to BOH, P.O. Box 1168, Marblehead, MA 01945, or send an e-mail to HIPAA Weekly Advisor editor Brian Driscoll at bdriscoll@hcpro.com.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive