Encrypting e-mail and what is considered confidential under HIPAA

Encrypting e-mail and what is considered confidential under HIPAA

Does HIPAA have any effect on internal e-mails behind a firewall, i.e. will internal e-mails need to be encrypted? Also, what strength of encryption is needed externally, as well as any other requirements such as authentication, etc.?

Lastly, what exactly is considered confidential (clent ID/number, name)?


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The HIPAA Security Rule, in its current proposed form, does not require internal e-mails on a wired network to be encrypted. E-mails are required to be encrypted if they go across an "open network" such as the Internet or even a wireless LAN. As of now, there is no minimum requirement for encryption strength. A common encryption strength is 168-bit (3DES), but 128-bit will usually suffice. Anything more may be overkill, anything less has been proven to be easily crackable. See Expert deconstructs the cracking of 64-bit key for more information on this subject.

Regarding authentication, the following is required:

  • data authentication -- mechanism that provides proof that data has not been altered or destroyed in an unauthorized manner
  • entity authentication -- mechanism that provides proof that an entity is who it claims to be
  • message authentication -- mechanism to ensure that a message received matches the message sent

Most, if not all, of these requirements can be met with third party mail gateway products and authentication systems from various vendors.

Regarding what is considered confidential, it basically boils down to any individually identifiable health information including SSN, name, address, medical record numbers, treatment history, etc. -- anything that can be used to indentify a patient. Stay tuned, however, the HIPAA Security Rule may be finalized at the end of December 2002 and might contain updates or changes to this information.

Ask the Expert: Encrypting PHI sent via postal mail
Ask the Expert: Securing e-mail under HIPAA
Best Web Links: Securing Health Care/Health Services


This was first published in December 2002

Back to top