• E-mail
• Print
• RSS

Q: What level of security does HIPAA require when transmitting patient information electronically (i.e., via the Web, through e-mail, etc.)?

HIPAA Weekly Advisor, December 17, 2007

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

A: It depends on the method used to send the patient information. An organization that transmits the information within its network can send it "clear text" (unencrypted). The organization may choose the level of security it wishes to apply. The same is true for data an organization that transmits via fax-person-to-person versus computer-to-computer-or sends over direct connections.

The answer changes if the organization is sending PHI over an open network (the Internet). Encryption is necessary when organizations send PHI over the Internet or a wireless network.

Different methods of data encryption exist for various communication methods (e.g., secure Web, virtual private network, secure e-mail, etc.). But the bottom line is that HIPAA requires encryption, and the level of encryption should be at least 128 bit encryption (this represents the strength of the encryption algorithm used). Higher levels of encryption are recommended and readily available. The organization's rules for remote access and transmission of PHI over the Internet are as important as its encryption of PHI. It is highly advisable to train all remote users to exercise caution and to be aware of their actions and their surroundings. For example, remote users should avoid working with PHI-even when transmitting data securely via a wireless network-if they are in a public setting where a passerby could see PHI displayed on a computer screen.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive