I don't understand why the comments from CMS re: electronic signatures (supposedly saying they will not be required under the final HIPAA security rule) are relevant here. Who's fooling whom? Are folks suddenly sighing with relief? Encryption is still certainly required, as Rachel said, when using an open network such as the internet.
But if you can actually manage to encrypt using an asymmetric key under an interoperable PKI (in such a way that the recipient can decrypt the data), signatures are a trivial fall-out and the least of the matter. A signature is merely the signer's private key encryption of a standard hash. I'm *not* saying a PKI is simple, but it is the only practical means of satisfying the encryption requirement of the HIPAA security rule; you may as well sign since it comes free once you have all the encryption stuff put together in an interoperable way, as with S/MIME. An electronic signature is most importantly needed to assure the identity of the signer (authentication) when receiving data over the open Internet. Secondarily, it ensures the unaltered transmission and receipt of the message (message integrity). Probably the least important aspect of a signature is nonrepudiation, which prevents a signer from successfully denying the signature. But nonetheless, the Security and Electronic Signatures rule does not require that electronic signatures be used unless so specified by one of the HIPAA mandated transactions - and none have, yet. Certificates are necessary for encryption (and signatures), and the CPP is an ideal mechanism for sharing and disseminating certificates. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Rachel Foerster" <[EMAIL PROTECTED]> To: "'WEDi/SNIP ID & Routing'" <[EMAIL PROTECTED]> Sent: Wednesday, 12 June, 2002 02:12 PM Subject: RE: An Overview or Primer Document No, William, I'm not interested in taking on this task since I do not believe that a CPP registry is either critical or facilitates the industry's march to compliance by the various drop-dead dates. Comments from CMS re electronic signatures indicate they will not be required under the final HIPAA security rule. Sharing and using digital certificates has much more complexity to it that many people realize.....especially across a diverse and fragmented population like health care. The current security NPRM requires encryption only when using an open network, such as the internet. And, please stop beating the drum on Open-edi. It's not on the near term horizon for health care and no other industry has adopted it entirely or in part either. Businesses do business with other businesses with which a prior relationship has been established for the most part. Receiving a claim from a previously unknown provider is an exception and not the rule. Rachel -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 10:46 AM To: 'WEDi/SNIP ID & Routing' Subject: Re: An Overview or Primer Document Rachel: I hadn't really thought of that before: using the "critical timelines" to "sell" the concept of the Healthcare CPP and Registry. But now that you bring it up, the overview should definitely include verbiage on how the CPP especially facilitates the industry achieving these critical milestones. Would you mind doing that part of the overview? Obviously, most folks are going to continue using Clearinghouses to help them become HIPAA compliant, but as we've long said, the CPP and Registry are useful to intermediaries also. With Internet connections to clearinghouses and CMS, there are the new HIPAA mandated security rules to deal with which require signatures and encryption - and the CPP is the ideal mechanism for sharing and disseminating certificates. And though it's a given that payers have to support all the standard transactions, the CPP is critical for broadcasting the capabilities of individual providers, avoiding onerous manual interaction as standard transactions are brought online one at a time. Though I'm no big fan of *mandatory* certification, certification is still a good thing to have: the CPP is the most efficient means of conveying your certified capabilities to your partners. And though it could be left unsaid - after all the discussion of the last couple of weeks - I'll say it again: I think Open-EDI is going to spring on many payers as a surprise by H-day, and only an automated infrastructure provided by the CPP and the Registry will make that at all possible. Thanks again, William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320
