news & events
trade shows
web seminars
press kit
back to about zixit

“Diagnosing eMail Vulnerabilities: Meeting the HIPAA Challenge”
May 29, 2002

Responses to Audience Questions (for questions not answered during the live event)

Responses to audience questions are provided by Mr. Tom Hanks, National Director/Client Services – Pricewaterhousecoopers Health Care Practice and Mr. Ken Roderman, Director/Healthcare – ZixCorp.

  1. Has HIPAA set a standard encryption format?

  2. Does pure encryption satisfy email security policy according to HIPAA?

  3. Is this encryption requirement for the Internet part of the administrative simplification regs that go into effect in October 2003 or is it part of the security rules not yet finalized?

  4. Do you think HIPAA Security Policy will also include an adequate encryption section and do you think it will rely on HCFA’s encryption language or the new AES encryption standards that replace DES?

  5. I was under the impression that DDE transactions would no longer be valid under the TCS Ruling?

  6. Is data encryption required over the local hospital private LAN?

  7. What advice can you give small physician practices regarding cost effectively becoming HIPAA compliant?

  8. I work for a small municipal city where the HR department is worried about compliance. What are our requirements for the new regulations; for example, do we have to encrypt email between employees and HR?

  9. How will security practices be enforced? Will the government audit organizations to ensure compliance? What are the penalties?

  10. Could you please explain what is HCFA?

  11. Do we need Windows 2000 to be compliant?

  12. Should business associates follow the same procedures and policies as covered entities? Are there any regulations regarding business associates?

  13. If you have a server level solution with a local email server and a remote workforce that does not log into the network, is the email from the remotes protected?


Has HIPAA set a standard encryption format?

Tom Hanks: “In fact, HIPAA does not set an encryption standard. In fact, HIPAA itself is technology neutral and is careful not to dictate or mandate any particular technology. However, what we do is refer to the HCFA Internet Security Policy that was released in 1998.

In the HCFA Internet Security Policy (and of course we all know that HCFA is now CMS today), they do mandate or do give levels of encryption that we look to as a reference guide. And first of all on the encryption, they are looking at 112 bit triple DES would be the equivalency that any encryption should meet and that would be equivalent to, for example, 1024 bit asymmetric encryption or 160 bit elliptical.

Does pure encryption satisfy email security policy according to HIPAA?

Tom Hanks: “ Pure encryption may or may not satisfy the email policy and what we are looking for, although HIPAA says “encryption”, there is also a provision in the privacy rule that tells us that we need to authenticate, that is we need to know who it is that we are doing business with so there needs to be some methodology of knowing who we are sending the information to and that the person we are sending it to is the one that actually received it.”

Is this encryption requirement for the Internet part of the administrative simplification regs that go into effect in October 2003 or is it part of the security rules not yet finalized?

Tom Hanks: “The actual mandate for encryption is in the security rule that is not yet finalized; however, under the privacy rule we have to have our security implementation in place by April 2003. So we look at the security rule and we don’t expect any material changes from the final security rule. We do know that it will be aligned with the current privacy rule so we would advise folks to be ready with encryption over the Internet by April 2003.”

Do you think HIPAA Security Policy will also include an adequate encryption section and do you think it will rely on HCFA’s encryption language or the new AES encryption standards that replace DES?

Tom Hanks: “I don’t think we will see anything different in the way that HCFA handles technology in the final rule. It is technology neutral and we think that it will stay technology neutral which means that right now we will still refer back to the HCFA Internet Security Policy to get guidance and direction since the HIPAA rules do not and will not mandate any particular level of encryption or form of technology to implement it.”

I was under the impression that DDE transactions would no longer be valid under the TCS Ruling?

Tom Hanks: “DDE is in fact, and DDE stands for “direct data entry”, is in fact allowed. There are some requirements that in any DDE implementations accommodate the entire data set for the transaction you are doing DDE with; that is, it needs to accommodate the standard data requirements, but it does not have to be in the actual EDI format specified by HIPAA. So DDE is an exception and is allowed for.”

Is data encryption required over the local hospital private LAN?

Tom Hanks: “There is no requirement in HIPAA for encryption except over open network which is the Internet. If we have an internal network that we control, there is no requirement for encryption. Having said that, there are some people who will do the risk analysis and they will determine that internal encryption is something that they would want to implement within their own organization.

What advice can you give small physician practices regarding cost effectively becoming HIPAA compliant?

Tom Hanks: “When we look at small physician practices, the upside to that is that HIPAA is a scalable rule and we are not going to expect near the level of security that we would expect in large hospitals or insurance companies. In fact today, WEDI has a draft white paper out on our website under the SNIP site, the Strategic National Implementation Plan (www.wedi.org/snip) and we have a complete white paper on the implementation of HIPAA practices for small physician practices that should give some guidelines and a road map of what you need to do.”

I work for a small municipal city where the HR department is worried about compliance. What are our requirements for the new regulations; for example, do we have to encrypt email between employees and HR?

Tom Hanks: “Again, when we talk about encryption, there is no mandate for encryption internally. There is a mandate for encryption in the open network; however, there is a mandate that each entity do a risk analysis and determine from that risk analysis what is best for their organization, their size and they can take cost into consideration. Some organizations will in fact elect to encrypt email internally and some won’t so there is no mandate for that. When we talk about what is a requirement for a small municipal city, it is the same requirement as any other covered entity under HIPAA; that is, each covered entity needs to do a risk analysis at least on the security side and determine what level of security implementation is going to be necessary to protect the privacy of protected health information for their entity keeping size and cost in consideration. Again, they need to determine that for themselves and need to make their own risk avoidance and risk analysis.”

How will security practices be enforced? Will the government audit organizations to ensure compliance? What are the penalties?

Tom Hanks: “The government has told us that they will have an enforcement proposed rule out some time this year; however, we do not see the government going around and knocking on peoples doors and auditing their security practices. But what we do look for is really the enforcement of privacy and we have some guidelines for that. We know, for example, that OCR is going to be enforcing the privacy rule (that’s the Office of Civil Rights) and you can look on their website for some of the guidelines. The trouble is that they are not going to take a real proactive approach. They will respond to complaints. Their whole intent is to work with the industry to help us to help bring us into compliance. So while we look on the enforcement side we don’t see a lot of risk of HHS breaking down doors and sending people to jail; however, what we do see on the other hand is a significant risk from third party lawsuits. The HIPPA rules, especially the Privacy Rule, sets a standard of care that in fact it can be used to leverage third party suits whereas the government enforcement itself may not be something that we should quake in fear about. We should certainly have our eyes on the ball when it comes to third party lawsuits.”

Could you please explain what is HCFA?

Ken Roderman: “HCFA stands for the Healthcare Financing Administration, the administration that previously administered Medicare and was one of the pioneers in the setting some of the basis of encryption technology that we talked about early on; however that agency is now overseen by CMS that now oversees Medicare and Medicaid so HCFA technically is not really the right term any more but the policies that were set forth were set forth when it was referred to as HCFA.

Do we need Windows 2000 to be compliant?

Ken Roderman: “I’m not sure what the specific question is addressing regarding compliance to what. If talking about HIPAA in general – NO. Certainly it is more general than that, but if you are talking about simply being able to encrypt emails in the fashions we talked about, no. In fact you don’t even need to have Windows at all. There are packages and abilities out there with several software solutions, but for the most part running the standard Windows-based solutions, you are going to want to be at least ’98 or above. A lot of cases do not support ’95.”

Should business associates follow the same procedures and policies as covered entities? Are there any regulations regarding business associates?

Tom Hanks: “There are a number of regulations regarding business associates but business associates are not directly regulated by HHS or the government. HHS regulates and controls the covered entities, which are essentially providers which send electronic transactions, clearing houses and health plans. So it is really up to the relationship between the business associate and the covered entity business partner as to what they should follow and really they should follow whatever directions are in their business associate contract. Now there are some mandatory terms in the business associate contract and within those terms the business associate will in fact agree to things like being able to abide by the covered entities privacy policies and practices, be able to (agree to) destroy protected health information upon termination of the contract and a number of other terms that are readily available in the privacy rule.

If you have a server level solution with a local email server and a remote workforce that does not log into the network, is the email from the remotes protected?

Ken Roderman: “I would need a little more information specifically in this case how this person if they are not logged into the network, how they are actually sending and receiving email. I am assuming they are talking about allowing them to log into the Internet on a web-based system. And that may or may not be protected. If they are set up with an SSL connection then it would be, but most likely it is not. The best way to deal with a situation like that is to have your remote workforce dial in through a VPN then they are going to be using whatever encrypted email systems you have in place at the corporation office.”


Contact Information Ken Roderman
ZixCorp
214/370-2276
kroderman@zixcorp.com


Tom Hanks
PricewaterhouseCoopers
312/298-4228
tom.hanks@pwcglobal.com
 


Home | Download ZixMail | Contact Us | Careers@ZixIt | Investor Relations | Support

© 2002. Zix Corporation. This site and the "Zix" marks are protected by copyright and trademark
laws under U.S. and international law. All rights reserved. Review our privacy policy.