Hi
We were trying to figure out a way to make emailing medical records from the OpenEMR HIPAA Compliant.
We plan to encrypt the attachment in the email which contains the patient information and send it out in the first email and follow that up with another email with the encryption key. Essentially two emails.
Would this be sufficiently compliant for the HIPAA encryption of "data in transport" rule?
Thanks in advance
Eldho
www.zhservices.com
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No way such a scheme would be compliant, since the key is being sent as plaintext.
Unintended recipients would have no trouble reading your the "private information" if they get both messages, and it's not any harder to intercept two emails instead of just one.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Standards for secure messaging of PHI have been approved by ONC and is specified in EHR certification requirements for MU-2. The standard is basically SMTP with S/MIME, and known as the "Direct Exchange", "Direct Messaging", etc.
A HISP (health information servuce provider) is a certified organization that verifies the identity and credentials of individuals and organizations seeking to originate Direct messaging, and manages digital certificates on user's behalf. HISPs are designed to interconnect with other, trusted HISPs, so users of HISP A can exchange PHI with users of HISP B.
John
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Who you're exchanging information with is also a major part of this question.
If you're exchanging with other medical practices, hospitals, etc. there's quite a bit of stuff out there related to information exchange, though much of it is targeted at large organizations such as hospitals. Requirements to be able to do this are coming for them.
If you're exchanging with patients, basically you're trying to use email instead of a patient portal. The actual encryption and sending of data are in fact only a minor (and relatively trivial to implement) part of the question; the bigger issue is how you're going to handle all the user account stuff - usernames/IDs, non-trivial passwords that can be changed in the case of compromise, end-user support, etc. Encrypting and emailing is relatively trivial, you can likely generate your encrypted files from either code or command-line tools. What password you encrypt with and how you get that password is harder. Emailing (even encrypted content - and don't forget to mask the filename) without revealing that Person X is a patient of Practice Y, etc. becomes far more of an issue.
Basically, think of email as a postcard because technically that's what it really is.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi
We were trying to figure out a way to make emailing medical records from the OpenEMR HIPAA Compliant.
We plan to encrypt the attachment in the email which contains the patient information and send it out in the first email and follow that up with another email with the encryption key. Essentially two emails.
Would this be sufficiently compliant for the HIPAA encryption of "data in transport" rule?
Thanks in advance
Eldho
www.zhservices.com
No way such a scheme would be compliant, since the key is being sent as plaintext.
Unintended recipients would have no trouble reading your the "private information" if they get both messages, and it's not any harder to intercept two emails instead of just one.
@yehster
Any other suggestions?!!
Thanks and regards
Eldho
Eldo
Standards for secure messaging of PHI have been approved by ONC and is specified in EHR certification requirements for MU-2. The standard is basically SMTP with S/MIME, and known as the "Direct Exchange", "Direct Messaging", etc.
A HISP (health information servuce provider) is a certified organization that verifies the identity and credentials of individuals and organizations seeking to originate Direct messaging, and manages digital certificates on user's behalf. HISPs are designed to interconnect with other, trusted HISPs, so users of HISP A can exchange PHI with users of HISP B.
John
Who you're exchanging information with is also a major part of this question.
If you're exchanging with other medical practices, hospitals, etc. there's quite a bit of stuff out there related to information exchange, though much of it is targeted at large organizations such as hospitals. Requirements to be able to do this are coming for them.
If you're exchanging with patients, basically you're trying to use email instead of a patient portal. The actual encryption and sending of data are in fact only a minor (and relatively trivial to implement) part of the question; the bigger issue is how you're going to handle all the user account stuff - usernames/IDs, non-trivial passwords that can be changed in the case of compromise, end-user support, etc. Encrypting and emailing is relatively trivial, you can likely generate your encrypted files from either code or command-line tools. What password you encrypt with and how you get that password is harder. Emailing (even encrypted content - and don't forget to mask the filename) without revealing that Person X is a patient of Practice Y, etc. becomes far more of an issue.
Basically, think of email as a postcard because technically that's what it really is.
The previous post re transcription servers appears to be SPAM
-Tony
hi,
Yanked the spam and will report the user to sourceforge.
-brady
OpenEMR