HIPAA, Websites and E-mail
HIPAA security rule enforcement is on the rise. HIPAA is the Health Insurance Portability and Accountability Act. This law regulates the privacy and security of individually identifiable patient information.
Why is HIPAA relevant to my business?
HIPAA affects any company that regularly transmits or stores employee health insurance information (e.g. health care providers, health plans, healthcare clearing houses). Even organizations outside the healthcare industry must consider regulatory compliance requirements associated with HIPAA and implement "appropriate administrative, technical and physical safeguards to protect the privacy of patient information".
Protected Health Information (PHI)
Protected Health Information (PHI) is "any information which identifies or could be used to identify an individual and has anything to do with past, present or future physical or mental health conditions, care or payment for care".
HIPAA and E-mail
HIPAA privacy provisions pose a compliance challenge. Organizations that fail to protect this information face stiff fines and possible jail time.
The privacy of PHI extends to email and computer files. HIPAA requires organizations to reduce or eliminate the risk of interception of emails and receipt of emails by unauthorized persons.
A new security rule focusing solely on PHI that is stored and transmitted electronically is part of HIPAA. The requirements of this rule, which are simply information security best practices, focus on the three cornerstones of a solid information security infrastructure - confidentiality, integrity, and availability of information.
HIPAA enforces well-known best practices that include:
So HIPAA has requirements for transmission, storage and discoverability of private information (PHI). The technical standards of HIPAA's security rule require the use of encryption, such as PGP, for electronic communication of protected health information over open networks.
The privacy of PHI extends to email and computer files. HIPAA requires organizations to reduce or eliminate the risk of interception of emails and receipt of emails by unauthorized persons.
A new security rule focusing solely on PHI that is stored and transmitted electronically is part of HIPAA. The requirements of this rule, which are simply information security best practices, focus on the three cornerstones of a solid information security infrastructure - confidentiality, integrity, and availability of information.
HIPAA enforces well-known best practices that include:
- Ensuring that e-mail messages containing PHI are kept secure when transmitted over an unprotected link
- Ensuring that e-mail systems and users are properly authenticated so that PHI does not get into the wrong hands
- Protecting e-mail servers and message stores where PHI may exist
So HIPAA has requirements for transmission, storage and discoverability of private information (PHI). The technical standards of HIPAA's security rule require the use of encryption, such as PGP, for electronic communication of protected health information over open networks.
So what does your organization need to do about HIPAA?
Most likely you will be doing these two steps:
Still not sure what you need to do for HIPAA? Look here for answers:
H&HS Office for Civil Rights - HIPAA
H&HS HIPAA FAQ
California Office of HIPAA Implementation
- use a secure server for your website
Rather than emailing PHI data send links to the secure server - set up encrypted email via PGP
Still not sure what you need to do for HIPAA? Look here for answers:
H&HS Office for Civil Rights - HIPAA
H&HS HIPAA FAQ
California Office of HIPAA Implementation
Example of HIPAA Compliant E-mail
Many health care professionals add postscripts to their email signature lines. They are for the security of protected health information
Here is a HIPAA compliant example:
First Name Last Name
Organization
example@example.com
w xxx.xxx.xxxx
p xxx.xxx.xxxx
c xxx.xxx.xxxx
http://example.com
This message may contain private information for persons named above. Please don't share that information with anyone without a need to know. If you received confidential information without a PGP wrapper, assume it was compromised, delete it, tell the sender, and try to tell the victim. Please don't send someone else's private information if you're not reasonably certain the recipient has a need to know and that the message will be kept private. Plain email is not private. In some cases, such as health information protected under the US HIPAA law or information protected under the US Privacy Act, plain email may be illegal. If you must relate a person's identity to their private information in email, use Hushmail or insist your recipients provide you their PGP public key. You can get my public key from the keyservers or my webpage.
Here is a HIPAA compliant example:
First Name Last Name
Organization
example@example.com
w xxx.xxx.xxxx
p xxx.xxx.xxxx
c xxx.xxx.xxxx
http://example.com
This message may contain private information for persons named above. Please don't share that information with anyone without a need to know. If you received confidential information without a PGP wrapper, assume it was compromised, delete it, tell the sender, and try to tell the victim. Please don't send someone else's private information if you're not reasonably certain the recipient has a need to know and that the message will be kept private. Plain email is not private. In some cases, such as health information protected under the US HIPAA law or information protected under the US Privacy Act, plain email may be illegal. If you must relate a person's identity to their private information in email, use Hushmail or insist your recipients provide you their PGP public key. You can get my public key from the keyservers or my webpage.
Helpful HIPAA Publications
HIPAA for Medical Office Personnel
Amazon Price: $37.20 (as of 01/02/2010) 
Hipaa Plain and Simple: A Compliance Guide for Healthcare Professionals
Amazon Price: $40.42 (as of 01/02/2010)
HIPAA Privacy: The Privacy Rule and Health Care Practice CD-ROM
LearnSomething offers a complete HIPAA privacy training solution that combines expert HIPAA information with organizational policies and procedures (P&Ps) and a mechanism that builds in proof of participation. The entire solution is delivered on this CD-ROM.
HIPAA Health features:
* Comprehensive training for all health care settings.
* Activities and examples to address specific scenarios.
* Proof of training compliance through tracking of participation and automatic generation of completion certificate.
* Provides complete training unit (including an exam) on HIPAA for integration into all health care curricula.
Amazon Price: $41.51 (as of 01/02/2010)
About Kahl Consultants
A San Rafael based consulting firm, Kahl Consultants specializes in small business web design and internet services.We ensure that the websites of our clients in the Health Care industry meet HIPAA compliance.
Kahl Consultants is a certified Bay Area Green Business and a Marin Sustainable Partner.
Reader Feedback
submit
-
Reply
- kahlbo kahlbo Mar 31, 2008 @ 1:38 pm
- There are many ways to ensure compliance with HIPAA for digital information collected and transferred by email and web.
If you have a favorite method please let us know! Of if you have any suggestions or questions feel free to pass them on.
by InfoRealtor
InfoRealtors.com and Kahl Consultants provide Small Business Web Services.
From Website Design and Hosting to SEO/SEM and Web Marketing, we are a one-...
(more)Explore related pages
HIPAA Encryption, the high Security HIPAA compliance for the Healthcare industry and professionals- The Health Insurance Portability and Accountability Act (HIPAA) was signed into...
HIPAA Compliance: Roles and Responsibilites- If you are employed in an office that has has various methods of storing patient...
- What is the impact of HIPAA on Information Technology?
- What is the impact of HIPAA on Information Technology today?
Computer recycling, Identity Theft and You- So, you want to sell, donate or recycle that old computer? You don't use it anym...
- The Health Insurance Portability and Accountability Act
- The Health Insurance Portability and Accountability Act was passed by Congress i...
- Is your organization HIPAA healthy? New regulations have gone into effect 9/23/09
