[unisog] HIPAA Question

Leinweber, James jiml at mail.slh.wisc.edu
Thu Jan 13 18:07:23 GMT 2005

> From: Jay D. Flanagan [mailto:jflanag at emory.edu] 
> Sent: Thursday, January 13, 2005 9:50 AM
> Subject: [unisog] HIPAA Question
> Part of the HIPAA policy requirements include the encryption 
> of email being sent that has PHI data in it. What are other 
> universities doing concerning the encryption of email for 
> this type of issue? 

The HIPAA law and its attendant privacy and security regulations do
not actually *require* that e-mail containing PHI (personally
identifiable health information) be encrypted. Although multiple
parts of the rules affect this issue, the single most pertinent part
of the security rule is 45 CFR 164.316(e)(1) which wants "technical
security measures" to guard information in transit over public
networks. E-mail obviously falls into this category. This is an
"addressable" part of the rule, meaning you still have to do
*something*, but there is some wiggle room about exactly what.

The basic technical problem is that PGP is too hard for ordinary
mortals to use, and PKI doesn't really exist, so S/MIME is also a
non-starter.  So there is no key management widely available to do
end-to-end encryption with.  The feedback to the Center for Medicare
and Medicaid Services (the entity within HHS charged with HIPAA
regulations) regarding the difficulties of encryption was vociferous
enough that the final rule neither requires encryption nor adopts any
digital signature standards.

Having said all that, I must confess that 100% of the members of the
HIPAA collaborative of Wisconsin (see http://www.hipaacow.org) have
independently decided that the only safe PHI in e-mail is encrypted
PHI, in general.  As no-one has widespread e-mail encryption
deployed, this has usually resulted in organizational policies
*against* use of e- mail to transmit PHI. 

So, there are 3 kinds of responses going on.

1) Take evasive actions.  These can be administrative, policy,
technical, or just acknowledgement of the risk.

The University of Wisconsin-Madison defined itself as one giant
hybrid covered entity, with around a dozen of its 220+ departments,
centers, and other entities as the health care components (HCC).  These
include things like the UW Hospitals and Clinics, Student Health
Services, my own Laboratory of Hygiene, the Medical Schools, and a
few random places such as the athletic department (which has some PHI
about student athletes).

By being a single entity, *internal* e-mail's confined to the campus
are not required to be encrypted.  Which is not to say that
encryption isn't creeping in. The HCC's are planning to use RFC 2487
style startTLS to encrypt stuff in transit between local hubs Real
Soon Now, and end-user access to campus mailboxes via POP3 or IMAP or
a web interface requires SSL/TLS as of last year.  So that is how e-
mail's among the Hospitals, the researchers, and the medical
foundation are currently being handled.

When communicating with outside groups, our Hospital's policy is
to partially de-identify the data.  So while the e-mail may
contain some PHI, such as a medical record number, it will be
obscure enough that no-one without access to additional data 
can easily identify the patient.  In the current technical
environment, they documented this an acceptable balance between
their dual obligations to provide high quality patient care and
their HIPAA obligation to protect patient privacy.  Are you
loving "addressable" specification yet?

Patients these days do tend to want to use e-mail to communicate with
their care providers.  My own boss and his physicians love this, for
example.  Student Health is waiting for a campus PKI rollout; the
Hospital allows e-mail if the patient signs an acknowledgement of the
privacy risks.  

The long run solution is perceived as web based messaging over HTTPS
linked into the next generation of electronic medical record systems.

2) Use alternatives to e-mail, such as portals or VPN's.

The Hygiene Lab set up a secure file sharing portal to trade PHI with
our partners, e.g. neonatal screening data going to Kuwait, blood
lead data to various places, AIDS and TB results to the department of
corrections, etc.  This has replaced both FTP and e-mail as our data
transfer method, at some slight inconvenience.  We may send e-mail
announcing the availability of a file of data, of course.

Only two of the UW-Madison HCC's do medical billing.  Traditionally
this has not moved over e-mail, either.  It is tending to go
electronic, obviously, but existing dial-up modem transfers (which
are allowed under HIPAA) are migrating toward VPN solutions,
notably IPSEC.

3) Improve your encryption infrastructure

The UW-Madison does not yet have a campus PKI, but is contemplating
one. If we do deploy it, S/MIME will become very appealing, but that
is still 2-3 years out.

A consortium in Massachusetts is working with the Open Group on an
initiative called "Secure Messaging Gateways", where they have
defined an S/MIME profile for securing e-mail between mail hubs. See
http://www.opengroup.org/messaging/. Unlike TLS, it's sender hub to
recipient hub, not just hop to hop.  So that takes care of the
transit over public networks part of the issue.  Unlike regular
S/MIME, it isn't end-to-end, so you don't have the key management
problems of handling all your end users, and you don't have to rip
out your entire existing e-mail infrastructures to upgrade the end-
users to encryption capable clients and servers, either.

SMG is based on the assumptions that HIPAA organizations have a
manageable number of partners they trade PHI e-mail with (true for the
Hygiene Lab, false for UW-Hospital), and the assumption that everyone
involved is willing to shell out for an SMG appliance.  Most
appliances have web access modes to cover recipients who don't have
SMG's yet.  Some add content filtering features to prevent
confidential stuff from leaking out in unencrypted e-mails.  The pro
side of SMG's is that they satisfy the HIPAA rules, and are feasible
to deploy and operate.  So our state department of Health and Family
Services is lobbying for these.

The con side of SMG's is that so far 0% of covered entities in
Wisconsin have been willing to deploy an SMG. Partly it's an expense
issue; pricing information is hard to come by, but as best we can
tell, vendors are charging around $100 per user mailbox. And partly
it's a chicken versus egg issue - if none of your partners has one,
there is no benefit to deploying one yourself.

-- James E. Leinweber, BadgIRT volunteer
State Laboratory of Hygiene, University of Wisconsin - Madison
<jiml at slh.wisc.edu> 465 Henry Mall; phone +1 608 262 0736
PGP fp: 2E36 47BC DB03 57CE 86AD  19CC 41A1 9179   5C6B C8B9

More information about the unisog mailing list