• E-mail
• Print
• RSS

The final security rule lists encryption as an addressable specification. What are some acceptable alternatives to encryption?

HIPAA Weekly Advisor, April 4, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: The final security rule lists encryption as an addressable specification. What are some acceptable alternatives to encryption?

A: There's much more emphasis in the final rule on taking reasonable measures in a way that's economic and effective for your organization. I think a lot of people, after doing a risk analysis, will decide that some sort of encryption is necessary.

Organizations must protect e-mails containing PHI, but it may be unreasonable to expect organizations to encrypt everything. The following are suitable alternatives:

1. Fax
If you can't encrypt e-mail, you might opt to transmit PHI by fax, but you need to know that the right person received the fax. You might call the person or have them call you. Include a statement on faxes that says, "This contains sensitive information covered under HIPAA. If you are not the intended recipient, please destroy or delete it and notify me." There might be things that slip through the cracks, but for the most part you've tried to take a certain amount of reasonable precautions based on your risk analysis.

2. Content filters
A policy that says staff cannot e-mail PHI won't necessarily prevent all users from violating it. I don't think there's any way organizations can control user-driven e-mail. You need a mechanism to evaluate whether the policy is working.

You can try to identify everything that contains PHI with content filtering through an e-mail gateway. Consider setting the filter to recognize when e-mails contains Social Security numbers and dates of birth. You can also use field names and medical terms, but will need to compile a list.

You could then encrypt e-mails with any potential PHI.

3. Password-protected attachments
A suitable alternative to encryption might be sending e-mails with password-protected zip file attachments containing PHI. Somebody could crack it if they were determined on doing it, as there's no such thing as 100% security. You want to take reasonable and appropriate precautions and manage your risk.

4. Secure Web servers
Sending e-mails with notices identifying a Web site where PHI can be viewed is one practical solution. You could send an e-mail to a patient that has a notification that says, "Your test results are available on this Web server and can be accessed with the password we gave you when you came in for the test." It would allow patients to access test results on a secure Web server.

In effect, it's a poor man's public key infrastructure (PKI).

5. Selective encryption
You may opt to limit the use of encryption to some organizations, like billing companies, but not patients.

PKIs are often too difficult to manage, because of the administrative aspect. You have to identify certificate authorities and have all these trust relationships.

But it would easier to set up a PKI with a billing company, because it's a one-to-one relationship.

Editor's note: Adapted from the April 2003 issue of Healthcare Information Security and answered by John C. Parmigiani, national practice director of HIPAA compliance services at CTG HealthCare Solutions, in Cincinnati. Parmigiani is a former director of enterprise standards for the Health Care Financing Administration (now called CMS) and federal government chair for the group that developed the proposed security rule. Also answered by Roger T. Brown, CISA, MBA, senior information technology auditor at Jefferson Health System, in Philadelphia.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive