Self Decrypting Archives

Steve Butler
Fri Jun 20 16:44:02 2003

I should clarify a bit.  HIPAA doesn't mandate PGP or PGP compatible.  =
does mandate secure transmissions for PHI (protected health =
Albeit, a FAX is considered secure!!

I'll have to put you in touch with our HIPAA person to go into further
details.  But our lawyers have determined that using a password on PKZIP
doesn't qualify.

Now, if you share a VPN with your client, then the transmission medium =
encrypted and you won't have to worry about using something like PGP.

As a side note, the Office of Insurance Commissioner (OIC) for the State =
Washington expects a monthly file for physicians and other practitioners =
our network.  This file contains SSN which is part of the PHI.  But =
state law requires OIC to make this data publicly available, they refuse =
accept encrypted files.  Go figure!

-----Original Message-----
From: Adam Pavelec []
Sent: Friday, June 20, 2003 7:13 AM
To: Steve Butler;
Subject: Re: Self Decrypting Archives

On Friday, June 20, 2003 12:41 AM [GMT-5=3DEST], Steve Butler
<> wrote:

> Not sure what industry Jeff is in.  In the health care industry
> in the US we can simply point to the HIPPA regs and tell our
> vendors that need to run something compatible with PGP and
> provide us with their public key.

I am by no means a HIPAA expert -- I don't think /anyone/ is, including
the United States Department of Health & Human Services itself.
However, I /have/ read through the Health Insurance Reform: Security
Standards Final Rule (
I think this quote from section (=A7 164.312(e)(1)) says it all: "In =
final rule, we adopt integrity controls and encryption, as addressable
implementation specifications."  This indicates that encryption is not a
requirement.  My organization's team of legal consultants in Washington
has confirmed this.

Another interesting quote from the /Response/ section:

-----BEGIN QUOTE-----
Particularly when considering situations faced by small and rural
providers, it became clear that there is not yet available a simple and
interoperable solution to encrypting email communications with patients.
As a result, we decided to make the use of encryption in the
transmission process an addressable implementation specification.
Covered entities are encouraged, however, to consider use of encryption
technology for transmitting electronic protected health information,
particularly over the internet.
-----END QUOTE-----

As far as I can understand, the 'HIR: Security Standards Final Rule' is
indeed a HIPAA Regulation.  If you could, Steve, please refer us to the
HIPAA Regulation(s) you briefly mentioned above that state
PGP-compatible encryption is a requirement.  I am sure that there are at
least a few of us on this list are interested.


We're Moving June 20th!
600 University St, Suite 1400
Seattle, WA 98101

CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, =
is for the sole use of the intended recipient(s) and may contain =
confidential and privileged information.  Any unauthorized review, use, =
disclosure or distribution is prohibited.  If you are not the intended =
recipient, please contact the sender by reply e-mail and destroy all =
copies of the original message.