HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox

E-MAIL TRANSMISSIONS

QUESTION #7: I work for a hospital that routinely sends patient records to various third party contractors via e-mail. To my knowledge, this information is not encrypted or password protected. Does HIPAA forbid these types of transmissions?

I keep reading about the HCFA Internet Security Policy (PDF); what is HCFA and what relationship and/or relevance, if any, does it have to HIPAA? Is there anything we should be doing relative to e-mail communications while we wait for HIPAA regulations on the issue?

ANSWER: While the proposed HIPAA regulations do not forbid electronic transmission of such information, they do require the information to be encrypted.

The answer to your question has implications that extend far beyond compliance with HIPAA's security standards. The broader and perhaps more important issue is your hospital's patients' comfort level with the hospital's current, rather lax, Internet security protocol if it were made public. Even assuming that the hospital's current approach is not uncommon, the hospital's patients may feel their trust has been misplaced. What the hospital does when HIPAA takes effect won't be able to repair the damage to the hospital's reputation.

One of the most important issues facing our society in this "electronic information age" is how to reap the benefits of instant data transmission and at the same time protect the privacy of the individual. There are currently no fewer than 16 bills pending in Congress that address this issue. In fact, a recent article cites consumer's enormous privacy concerns as a hindrance to more widespread use of the Internet for online health care and health education http://www.hipaadvisory.com/views/Patient/online071200.htm.

HIPAA confronts this issue by imposing minimum-security standards on health care providers, clearinghouses, plans, and other entities that electronically maintain or transmit health information (as defined by the Act).

Electronic transmissions include, among others, transmissions over the Internet and extranets (using Internet technology to link to a business with information only accessible to collaborating parties). The proposed rules require protection of electronically transmitted health information so that it cannot be, "intercepted [or] interpreted by parties other than the intended recipient and [can be] protect[ed]... from intruders trying to access systems through external communication points." The proposed HIPAA regulations recognize that information transmitted over the Internet is especially vulnerable to compromise and interference, and accordingly require such information to be encrypted.

It is advisable for the hospital to follow the Health Care Financing Administration (HCFA) Internet Security PolicY (PDF) guideline until the final HIPAA security regulations are released. HCFA is the DHHS agency responsible for Medicare and parts of Medicaid. HCFA's Internet Security Policy applies to HCFA contractors, state agencies acting as HCFA agents, other government organizations, and any entity that has been authorized by HCFA to access HCFA information resources. HCFA's policy authorizes use of the Internet for transmission of individually identifiable and other sensitive information as long as:

  1. Covered entities use an acceptable method of encryption that insures the confidentiality and integrity of the information being transmitted; and
  2. There is an authentication/identification procedure to verify the identity of the sender and the intended recipient.

The HCFA Internet Security Policy is relevant to HIPAA because it lists acceptable approaches to complying with the authentication take these approaches into account and could potentially use them as a model when making final determinations on the comparable HIPAA regulation.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.