|
transmission
security (HIPAA)
Covered
entities must address transmission security as part of
their technical
safeguards. The Security
Rule defines it as "technical security mechanisms
to guard against unauthorized access to electronic
protected health information
[PHI] that is being transmitted over an electronic communications
network."
The standard has
two implementation
specifications, both of which are addressable:
The first includes
"security measures to ensure that electronically transmitted
electronic protected health information is not improperly
modified without detection until disposed of." The
second embraces "mechanisms to encrypt electronic [PHI]
deemed appropriate."
The standard does
not mandate any particular set of integrity controls, such
as encryption, for all transmissions. (In a proposed version
of the Rule, encryption was to be required for all "open
networks.") Now the covered entity must decide, following
its own risk analyses, what degree of protection is appropriate
in each circumstance.
While it "encourages"
consideration of encryption, DHHS
has advised only that electronic PHI must be "protected
in a manner commensurate with the associated risk" when
it is transmitted from one place to another. (Final Rule,
p.139) Technological change can be expected to shift both
the cost-effectiveness of encryption technologies as well
as the risk factors for interception of unencrypted transmissions.
In response to
questions regarding unsolicited electronic receipt of PHI
-- e.g., in email from patients -- DHHS offered the following
guidance: "[S]ecurity protection must subsequently be
afforded ... once that information is in the possession of
the covered entity," commensurate with its nature and
sensitivity. "The manner in which the information is
received does not affect the protection required." (Final
Rule, p.144) However, the Rule does not require covered entities
to try to protect the unsolicited inbound transmissions.
This leaves open
the question of whether, as a matter of ethics, covered entities
should encourage or discourage certain transmission behaviors
by patients. But HIPAA does not require that covered entities
treat patients like business
associates and insist on security at the patient's end
of the wire.
See also:
|
