Emailing Medical Records: HIPAA

system · September 26, 2012, 7:58pm

zhhealthcare wrote on Wednesday, September 26, 2012:

Hi
We were trying to figure out a way to make emailing medical records from the OpenEMR HIPAA Compliant.

We plan to encrypt the attachment in the email which contains the patient information and send it out in the first email and follow that up with another email with the encryption key. Essentially two emails.

Would this be sufficiently compliant for the HIPAA encryption of “data in transport” rule?

Thanks in advance
Eldho

system · September 26, 2012, 8:05pm

yehster wrote on Wednesday, September 26, 2012:

No way such a scheme would be compliant, since the key is being sent as plaintext.

Unintended recipients would have no trouble reading your the “private information” if they get both messages, and it’s not any harder to intercept two emails instead of just one.

system · September 26, 2012, 8:07pm

zhhealthcare wrote on Wednesday, September 26, 2012:

@yehster

Any other suggestions?!!

Thanks and regards
Eldho

system · September 26, 2012, 8:33pm

johnbwilliams wrote on Wednesday, September 26, 2012:

Eldo

Standards for secure messaging of PHI have been approved by ONC and is specified in EHR certification requirements for MU-2. The standard is basically SMTP with S/MIME, and known as the “Direct Exchange”, “Direct Messaging”, etc.

A HISP (health information servuce provider) is a certified organization that verifies the identity and credentials of individuals and organizations seeking to originate Direct messaging, and manages digital certificates on user’s behalf. HISPs are designed to interconnect with other, trusted HISPs, so users of HISP A can exchange PHI with users of HISP B.

John

system · October 3, 2012, 6:44pm

fencepost wrote on Wednesday, October 03, 2012:

Who you’re exchanging information with is also a major part of this question.

If you’re exchanging with other medical practices, hospitals, etc. there’s quite a bit of stuff out there related to information exchange, though much of it is targeted at large organizations such as hospitals. Requirements to be able to do this are coming for them.

If you’re exchanging with patients, basically you’re trying to use email instead of a patient portal. The actual encryption and sending of data are in fact only a minor (and relatively trivial to implement) part of the question; the bigger issue is how you’re going to handle all the user account stuff - usernames/IDs, non-trivial passwords that can be changed in the case of compromise, end-user support, etc. Encrypting and emailing is relatively trivial, you can likely generate your encrypted files from either code or command-line tools. What password you encrypt with and how you get that password is harder. Emailing (even encrypted content - and don’t forget to mask the filename) without revealing that Person X is a patient of Practice Y, etc. becomes far more of an issue.

Basically, think of email as a postcard because technically that’s what it really is.

system · October 19, 2012, 7:12pm

tmccormi wrote on Friday, October 19, 2012:

The previous post re transcription servers appears to be SPAM
-Tony

system · October 20, 2012, 12:25am

bradymiller wrote on Saturday, October 20, 2012:

hi,
Yanked the spam and will report the user to sourceforge.
-brady
OpenEMR