RE: WinZip & password and e-mail

Tue, 22 Oct 2002 11:11:15 -0700

Title: Winzip & password and e-mail


I was reading this email discussion and have a question.  It is my understanding that when Password Protection is used with WinZip it actually does encrypt the file.  It does not use a DES encryption algorithm, however, it would seem to meet the current HIPAA requirement of being encrypted.  CMS would indicated that 128 bit key be used or DES, but the HIPAA Security NPRM did not give this level of detail.  Does this change your position?
 
From WinZip Help:
"WinZip� uses the industry standard Zip 2.0 encryption format.  Password protecting files in a Zip file provides a measure of protection against casual users who don't have the password and are trying to determine the contents of your files.  The Zip 2.0 encryption format, however, is not as secure as DES and the RSA public key formats used by programs such as PGP, and does not provide absolute protection against determined individuals with advanced cryptographic tools."  Copyright � 1991-2000 by WinZip Computing, Inc.  All rights reserved.
 
Don
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 01, 2002 4:18 AM
To: Price, Carolyn; Fify Taslim; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Winzip & password and e-mail

Carolyn, he doesn't exactly say that they are transactions.  Only PHI - if they are transactions, I completely agree with you.  If they are not, then this would be minimal protection from incidental disclosure only - until the security rule deadline requires stronger protections.
 

Tim McGuinness, Ph.D.
Consulting Specialist in Regulatory Privacy, Security, and Application Compliance (HIPAA/ASCA/FDA/CMS-HCFA/ICH/ADA 508c),
 
President,
HIPAA Help Now
 
Executive Co-Chairman for Privacy,
HIPAA Conformance Certification Organization (HCCO)
www.hcco.us

__________________________________________________________________
Phone:   727-787-3901   Cell: 305-753-4149    Fax: 240-525-1149
Instant Messengers:  ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] - Yahoo IM  timmcguinness - AOL IM:   mcguinnesstim
__________________________________________________________________

===========================================================================

IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.

-----Original Message-----
From: Price, Carolyn [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 30, 2002 4:29 PM
To: Fify Taslim; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: Winzip & password and e-mail



HIPAA mandates that all transactions sent via the web be encrypted.  Since the example you give is NOT encrypted, it is not allowed at all.
Carolyn Price
-----Original Message-----
From: Fify Taslim [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 30, 2002 11:40 AM
To: '[EMAIL PROTECTED]'; 'business@wed[i.org'; '[EMAIL PROTECTED]'
Subject: Winzip & password and e-mail



Hello all,

Thank you in advance for all your valuable the responds.
I have Privacy issue question today. Is this scenario still HIPAA compliant or not allowed at all?  Scenario: sending daily file containing member PHI through e-mail. The file are zipped [Winzip]and password protected, and no encryption were done.

Any suggestion/recommendation to HIPAA compliance are welcome.

Regards,

Fify Taslim, MD, MBA

Care1st Health Plan
Compliance Specialist/HIPAA Coordinator
Ph. (626) 299-4299 ex.376
Fx. (626) 628-3263
E-mail: [EMAIL PROTECTED]


To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.


**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Business
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Business
and enter your email address.

The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to