Mimi, one could take this approach. On the other hand, enforcing such employee behaviors and auditing, tracking and apply sanctions for violations would potentially add more cost than using appropriate encryption techniques with appropriate procedures, etc.
Rachel Foerster -----Original Message----- From: Mimi Hart [mailto:[EMAIL PROTECTED] Sent: Friday, April 11, 2003 10:44 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: *LAWYERS LIE IN WAIT FOR HIPAA REGS I think that besides encryption, you need to also give your staff an understanding of how they can de-identify to the point that an email would not need to be encrypted. For example, replying to a bill inquiry with "yes, insurance carrier has paid 80% of the bill referenced" would probably not be high risk PHI, while "yes, Blue Cross paid for the tonsillectomy procedure for Mr. Smith" would be higher risk, and would probably need to be secured. MIMI Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> "Rachel Foerster" <[EMAIL PROTECTED]> 04/11/03 10:13AM >>> Chris, actually, I can't, since I too agree with you that encryption is necessary, and that those who try to rationalize their way out of it are indeed treading on very thin ice. This wasn't my point in pointing out the addressability aspect of encryption. Most likely the only email that might not require encryption would be that which stays within the enterprise's security internal network, but that of course, means that all due diligence must be done to ensure the network's security. Rachel -----Original Message----- From: Chris Riley [mailto:[EMAIL PROTECTED] Sent: Friday, April 11, 2003 6:35 AM To: Rachel Foerster Cc: WEDI SNIP Privacy Workgroup List Subject: Re: *LAWYERS LIE IN WAIT FOR HIPAA REGS Rachel, Thank you for the point of clarification. Although the rules are intentionally technology neutral in the spirit of scalability, as a practical matter organizations are going to have to pass the ultimate test of "Due Care". Could you give a few examples of technologies other than encryption that could be considered industry best practices or due care? Thanks, -- Chris Riley, CISSP Information Tool Designers Inc. <!-- SANS Top 20 Vulnerability Scanning Tool --> <!-- http://vdt.info-tools.com/--> Rachel Foerster wrote: >Chris, a point of correction....the HIPAA Electronic Transaction Final >Rule does not require encryption for data transmission, and actually >the rule does not discuss transmission/transport at all. > >Rather, the need for encryption is in the final security rule and is an >addressable implementation specification. > >Rachel Foerster > >-----Original Message----- >From: Chris Riley [mailto:[EMAIL PROTECTED] >Sent: Thursday, April 10, 2003 6:42 AM >To: WEDI SNIP Privacy Workgroup List >Subject: FYI: *LAWYERS LIE IN WAIT FOR HIPAA REGS > > >Attorneys nationwide reportedly plan to deploy decoy patients at health >care organizations to see if doctors, dentists, hospitals and insurance >companies have the policies, procedures and protections that ensure >patients' privacy, as required by the federal Health Insurance >Portability and Accountability Act (HIPAA). > >The long-awaited privacy rule goes into effect Monday. Health care >organizations that don't comply risk hefty fines, possible criminal >prosecution and costly civil lawsuits. Companies have had two years to >educate staff, designate a privacy officer and adopt basic security >measures. But there's a good chance some providers will miss the >deadline. > >The threat of lawsuits may be a stronger motivator than government >fines or jail time, says Kate Borten, a security consultant and >president of The Marblehead Group in Massachusetts. "The government has >publicly stated it will be very forgiving if an organization >demonstrates it meant well and has taken steps to become compliant," >Borten says. > >While most of the privacy rule revolves around policy and procedure, it >does outline some mandatory security measures. Another HIPAA component, >the transactions and code rule, includes requirements for using >AES-strength encryption for any electronic data transmissions, such as >claims sent between medical providers and insurance companies. READ >MORE: http://www.infosecuritymag.com/2003/apr/news.shtml#1 > > --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org ********************************************* This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. ********************************************* --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org