[unisog] Re: HIPAA Question

Forsythe, Ralph Ralph.Forsythe at twtelecom.com
Mon Jan 17 18:34:14 GMT 2005

For whatever it's worth...  The way it has been explained to me is that
HIPAA is written with some flexibility and ambiguity on purpose, however
that does not mean you can ignore it.  From what I understand, the way
it is enforced is by a self-adjusting scale of "best practices of your
peers" - i.e., if someone else does it and you ignore it, you're falling
behind the curve so to speak.  Now if 99% of the industry does it one
way and some rogue business with a lot of money goes nuts, "they" won't
expect everyone else to follow suit as long as the common procedures are
adequate.  However, if you are HIPAA-governed and don't do something
like encryption when everyone else (or the vast majority) does, you
could be in trouble.

- Ralph

-----Original Message-----
From: James Leinweber [mailto:jiml at slh.wisc.edu]
Sent: Thursday, January 13, 2005 11:47 AM
To: unisog at lists.sans.org
Subject: [unisog] Re: HIPAA Question

> From: Jay D. Flanagan [mailto:jflanag at emory.edu]
> Sent: Thursday, January 13, 2005 9:50 AM
> Subject: [unisog] HIPAA Question
> Part of the HIPAA policy requirements include the encryption of email
> being sent that has PHI data in it. What are other universities doing
> concerning the encryption of email for this type of issue?

The HIPAA law and its attendant privacy and security regulations do not
actually *require* that e-mail containing PHI (personally identifiable
health information) be encrypted. Although multiple parts of the rules
affect this issue, the single most pertinent part of the security rule
is 45 CFR 164.312(e) which wants "technical security measures" to guard
information in transit over public networks. E-mail obviously falls into
this category, and encryption is an appropriate response. This is,
however, an "addressable" part of the rule, meaning that while you still
have to do *something*, there is some wiggle room about exactly what.

The content contained in this electronic message is not intended to
constitute formation of a contract binding TWTC.  TWTC will be
contractually bound only upon execution, by an authorized officer, of
a contract including agreed terms and conditions or by express
application of its tariffs.

This message is intended only for the use of the individual or entity
to which it is addressed. If the reader of this message is not the
intended recipient, or the employee or agent responsible for
delivering the message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
message is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to
the sender of this E-Mail or by telephone.

More information about the unisog mailing list