HIPAA Email Security

[Guest jkonline]

My organization provides technical support for medical software databases. I feel PHI is of passed around in emails freely for trouble shooting client systems. Does anyone have a suggestion for remediation other than using S/MIME or PGP?

Here is a quote from the support supervisor, "I think the main point of HIPAA is to use 'some means' of protecting PHI so even a password protected zip file will suffice. However it may be easier to just not allow any PHI in emails."

Any ideas on changing this train of thought?

[Steve72]

It must be HIPAA day!

jkonline, it sounds like you would be (if anything) a business associate, not a covered entity. If your organization provides support for a covered entity in which the review of PHI was necessary (for example, in auditing emails), then your obligations would spring from the business associate contract, not HIPAA itself.

This is worth re-stating. From your post, it seems that you have no obligation under HIPAA. You may have state privacy law requirements, and will probably have contractual requirements, however.

Your support supervisor's quote is actually pretty close to the Privacy and Security standards. HIPAA (particularly HIPAA Security) doesn't mandate a particular security measure. Rather, it requires that you review your current policies and determine whether the risks of loss of confidentiality, integrity or availability mandate that you improve your current systems.

Assuming that the BAA mandates that you follow the Security rule, you will need to conduct (and document) a risk assessment of your current systems, and establish a rationale for why your current systems are sufficient, or how you will make them sufficient.

As for privacy, the BAA will likeley require that you restrict disclosures of PHI to the "minimum necessary". If the "no PHI in emails" rule is feasible, this would be a good way to approach this requirement.