[unisog] Re: HIPAA Question

James Leinweber jiml at slh.wisc.edu
Thu Jan 13 18:46:54 GMT 2005

> From: Jay D. Flanagan [mailto:jflanag at emory.edu] 
> Sent: Thursday, January 13, 2005 9:50 AM
> Subject: [unisog] HIPAA Question
> Part of the HIPAA policy requirements include the encryption 
> of email being sent that has PHI data in it. What are other 
> universities doing concerning the encryption of email for 
> this type of issue? 

The HIPAA law and its attendant privacy and security regulations do
not actually *require* that e-mail containing PHI (personally
identifiable health information) be encrypted. Although multiple parts
of the rules affect this issue, the single most pertinent part of the
security rule is 45 CFR 164.312(e) which wants "technical security
measures" to guard information in transit over public networks. E-mail
obviously falls into this category, and encryption is an appropriate
response. This is, however, an "addressable" part of the rule, meaning
that while you still have to do *something*, there is some wiggle room
about exactly what.

The basic technical problem is that PGP is too hard for ordinary
mortals to use, and PKI doesn't really exist, so S/MIME is also a
non-starter.  So there is no key management widely available to do
end-to-end encryption with.  The feedback to the Center for Medicare
and Medicaid Services (the entity within HHS charged with HIPAA
regulations) regarding the difficulties of encryption was vociferous
enough that the final rule neither requires encryption nor adopts any
digital signature standards.

Having said all that, I must confess that 100% of the members of the
HIPAA collaborative of Wisconsin (see http://www.hipaacow.org) have
independently decided that the only safe PHI in e-mail is encrypted
PHI, in general.  As no-one has widespread e-mail encryption
deployed, this has usually resulted in organizational policies
*against* use of e- mail to transmit PHI.  My own Hygiene Lab
falls into this camp.

Where e-mail is still in play, there are 3 kinds of responses going on.

1) Take evasive actions.  These can be administrative, policy,
technical, or just acknowledgement of the risk.

The University of Wisconsin-Madison defined itself as one giant hybrid
covered entity, with around a dozen of its 220+ departments, centers,
and other entities as the health care components (HCC).  These include
things like the UW Hospitals and Clinics, Student Health Services, my
own Laboratory of Hygiene (see http://www.slh.wisc.edu), the Medical
Schools, and a few random places such as the athletic department
(which has some PHI about student athletes).

By being a single entity, *internal* e-mail's confined to the campus
are not required to be encrypted.  Which is not to say that
encryption isn't creeping in. The HCC's are planning to use RFC 2487
style startTLS to encrypt stuff in transit between local hubs Real
Soon Now, and end-user access to campus mailboxes via POP3 or IMAP or
a web interface requires SSL/TLS as of last year.  So that is how e-
mail's among the Hospitals, the researchers, and the medical
foundation are currently being handled.

When communicating with outside groups, our Hospital's policy is to
partially de-identify the data.  So while the e-mail may contain some
PHI, such as a medical record number, it will be obscure enough that
no-one without access to additional data can easily identify the
patient.  In the current technical environment, they documented this
an acceptable balance between their dual obligations to provide high
quality patient care and the HIPAA rules protecting patient privacy.
Are you loving those "addressable" specifications yet?

Patients these days do tend to want to use e-mail to communicate with
their care providers.  My own boss and his physicians love this, for
example.  Student Health is waiting for a campus PKI rollout; the
Hospital allows e-mail *if* the patient signs an acknowledgement of the
privacy risks.  

The long run solution is perceived as web based messaging over HTTPS
linked into the next generation of electronic medical record systems.

2) Use alternatives to e-mail, such as portals or VPN's.

The Hygiene Lab set up a secure file sharing portal to trade PHI with
our partners, e.g. neonatal screening data going to Kuwait, blood
lead data to various places, AIDS and TB results to the department of
corrections, etc.  This has replaced both FTP and e-mail as our data
transfer method, at some slight inconvenience.  We may send e-mail
announcing the availability of a file of data, of course.

Only two of the UW-Madison HCC's do medical billing.  Traditionally
this has not moved over e-mail, either.  It is tending to go
electronic, obviously, but existing dial-up modem transfers (which
are allowed under HIPAA) are migrating toward VPN solutions,
notably IPSEC.

At the Hygiene Lab, any other systems directly trading PHI data with
partners via HL7 or SOAP or whatever are expected to use TLS with both
client and server certificates.

We also have some data moving over SSH (sftp / scp).

3) Improve your encryption infrastructure

The UW-Madison does not yet have a campus PKI, but is contemplating
one. If we do deploy it, S/MIME will become very appealing, but that
is still 2-3 years out.

A consortium in Massachusetts is working with the Open Group on an
initiative called "Secure Messaging Gateways", where they have
defined an S/MIME profile for securing e-mail between mail hubs. See
http://www.opengroup.org/messaging/. Unlike TLS, it's sender hub to
recipient hub, not just hop to hop.  So that takes care of the
transit over public networks part of the issue.  Unlike regular
S/MIME, it isn't end-to-end, so you don't have the key management
problems of handling all your end users, and you don't have to rip
out your entire existing e-mail infrastructures to upgrade the end-
users to encryption capable clients and servers, either.

SMG is based on the assumptions that HIPAA organizations have a
manageable number of partners they trade PHI e-mail with (true for the
Hygiene Lab, false for UW-Hospital), and the assumption that everyone
involved is willing to shell out for an SMG appliance.  Most
appliances have web access modes to cover recipients who don't have
SMG's yet.  Some add content filtering features to prevent
confidential stuff from leaking out in unencrypted e-mails.  The pro
side of SMG's is that they satisfy the HIPAA rules, and are feasible
to deploy and operate.  So our state department of Health and Family
Services is lobbying for these.

The con side of SMG's is that so far 0% of covered entities in
Wisconsin have been willing to deploy an SMG. Partly it's an expense
issue; pricing information is hard to come by, but as best we can
tell, vendors are charging around $100 per user mailbox. And partly
it's a chicken versus egg issue - if none of your partners has one,
there is no benefit to deploying one yourself.

-- James E. Leinweber, BadgIRT volunteer
State Laboratory of Hygiene, University of Wisconsin - Madison
<jiml at slh.wisc.edu> 465 Henry Mall; phone +1 608 262 0736
PGP fp: 2E36 47BC DB03 57CE 86AD  19CC 41A1 9179   5C6B C8B9

More information about the unisog mailing list