Self Decrypting Archives

Adam Pavelec apavelec@benefit-services.com
Fri Jun 20 16:12:01 2003


On Friday, June 20, 2003 12:41 AM [GMT-5=3DEST], Steve Butler
<sbutler@fchn.com> wrote:

> Not sure what industry Jeff is in.  In the health care industry
> in the US we can simply point to the HIPPA regs and tell our
> vendors that need to run something compatible with PGP and
> provide us with their public key.

I am by no means a HIPAA expert -- I don't think /anyone/ is, including
the United States Department of Health & Human Services itself.
However, I /have/ read through the Health Insurance Reform: Security
Standards Final Rule (http://aspe.hhs.gov/admnsimp/FINAL/FR03-8334.pdf).
I think this quote from section (=A7 164.312(e)(1)) says it all: "In this
final rule, we adopt integrity controls and encryption, as addressable
implementation specifications."  This indicates that encryption is not a
requirement.  My organization's team of legal consultants in Washington
has confirmed this.

Another interesting quote from the /Response/ section:

-----BEGIN QUOTE-----
Particularly when considering situations faced by small and rural
providers, it became clear that there is not yet available a simple and
interoperable solution to encrypting email communications with patients.
As a result, we decided to make the use of encryption in the
transmission process an addressable implementation specification.
Covered entities are encouraged, however, to consider use of encryption
technology for transmitting electronic protected health information,
particularly over the internet.
-----END QUOTE-----

As far as I can understand, the 'HIR: Security Standards Final Rule' is
indeed a HIPAA Regulation.  If you could, Steve, please refer us to the
HIPAA Regulation(s) you briefly mentioned above that state
PGP-compatible encryption is a requirement.  I am sure that there are at
least a few of us on this list are interested.

--Adam