Jump to content

  •  

Photo

Password Protected PDF HIPAA Compliant?


  • Please log in to reply
11 replies to this topic

#1 Matt Klein  Certified Developer

Matt Klein
  • Members
  • 387 posts
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Intermediate
  • Certification:8, 11
  • Membership:TechNet, FileMaker Business Alliance
  • Time Online: 1d 15h 10m 32s

Posted 07 February 2012 - 08:08 AM

I have scoured the internet to find out if attaching a Password protected PDF to an email is HIPAA compliant. All I see talked about is encrypting the email itself.

Does anyone know if attaching an encrypted, password protected PDF to an email is considered HIPAA compliant?
  • 0

#2 jbante  

jbante
  • Members
  • 381 posts
  • LocationNC, USA
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Expert
  • Certification:7, 9, 10, 11, 12
  • Membership:TechNet, FileMaker Business Alliance, FIleMaker Platinum Member
  • Time Online: 8d 13h 37m 42s

Posted 07 February 2012 - 08:52 AM

HIPAA is intentionally vague about specific technical practices like whether it's enough to encrypt just an attachment, or if the whole email has to be encrypted. This is because lawmakers can't predict what security issues or resolutions may come up as new technology is developed. The important thing is that you have a documented policy describing what's acceptable for your organization and why you made that decision.

If the ePHI you're protecting is in the PDF and not in the email, I'd say that encrypting the PDF (so long as the password is nowhere near the email) is a defensible practice. (I have worked on systems with HIPAA-regulated data, but I'm not a lawyer, so don't take my word for it.)
  • 0

#3 Matt Klein  Certified Developer

Matt Klein
  • Members
  • 387 posts
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Intermediate
  • Certification:8, 11
  • Membership:TechNet, FileMaker Business Alliance
  • Time Online: 1d 15h 10m 32s

Posted 07 February 2012 - 02:15 PM

HIPAA is intentionally vague about specific technical practices like whether it's enough to encrypt just an attachment, or if the whole email has to be encrypted. This is because lawmakers can't predict what security issues or resolutions may come up as new technology is developed. The important thing is that you have a documented policy describing what's acceptable for your organization and why you made that decision.

If the ePHI you're protecting is in the PDF and not in the email, I'd say that encrypting the PDF (so long as the password is nowhere near the email) is a defensible practice. (I have worked on systems with HIPAA-regulated data, but I'm not a lawyer, so don't take my word for it.)


Thanks for the reply Jeremy. I find HIPAA to entirely vague. I have found no specific outline of what is expected. Just conversations between those of us that are in the industry trying to ensure we and our clients are properly protected.

Assuming that the ePHI only exists in the PDF and the PDF is encrypted with a password, is it sufficient to allow our clients to decide whether to email the ePHI as password encrypted PDFs?
  • 0

#4 jbante  

jbante
  • Members
  • 381 posts
  • LocationNC, USA
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Expert
  • Certification:7, 9, 10, 11, 12
  • Membership:TechNet, FileMaker Business Alliance, FIleMaker Platinum Member
  • Time Online: 8d 13h 37m 42s

Posted 08 February 2012 - 08:12 AM

I'd say that emailing password protected PDFs is probably acceptable; but if your clients are emailing these PDFs outside the organization, there is a policy complication. If the HIPAA-regulated client of yours is hoping to share ePHI with an outside party (perhaps you, for example), the client needs to secure a contract with the outside party that includes terms forcing the outside party to protect the security of that data. Basically, HIPAA says that if your client is going to share data, they need a (legally binding) promise from the outside party that they'll take good care of it, too. This is often handled by the NDA portion of contractor and consulting agreements.
  • 0

#5 Matt Klein  Certified Developer

Matt Klein
  • Members
  • 387 posts
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Intermediate
  • Certification:8, 11
  • Membership:TechNet, FileMaker Business Alliance
  • Time Online: 1d 15h 10m 32s

Posted 08 February 2012 - 08:29 AM

I'd say that emailing password protected PDFs is probably acceptable; but if your clients are emailing these PDFs outside the organization, there is a policy complication. If the HIPAA-regulated client of yours is hoping to share ePHI with an outside party (perhaps you, for example), the client needs to secure a contract with the outside party that includes terms forcing the outside party to protect the security of that data. Basically, HIPAA says that if your client is going to share data, they need a (legally binding) promise from the outside party that they'll take good care of it, too. This is often handled by the NDA portion of contractor and consulting agreements.


Thanks again for the thoughts on this. The sharing of ePHI would be between our client, pathology lab, and their clients, MDs. So, it sounds like if our client has a BAA(Business Associates Agreement) with their client, then emailing a password encrypted PDF with ePHI should be compliant.

Does that sound about right?
  • 0

#6 jbante  

jbante
  • Members
  • 381 posts
  • LocationNC, USA
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Expert
  • Certification:7, 9, 10, 11, 12
  • Membership:TechNet, FileMaker Business Alliance, FIleMaker Platinum Member
  • Time Online: 8d 13h 37m 42s

Posted 08 February 2012 - 10:22 AM

I'm not a lawyer, but that sounds about right.
  • 0

#7 Jaesonborn  newbie

Jaesonborn
  • Newbies
  • PipPipPipPip
  • 4 posts
  • FM Application:5
  • Platform:Windows 7
  • Skill Level:Beginner
  • Certification:7
  • Membership:TechNet

Posted 07 April 2012 - 11:01 AM

Can anything be safe these days? I mean, they have entire networks dedicated to these kind of things. No amount of protection can stop them from messing with you.
  • -1

#8 antidote  newbie

antidote
  • Newbies
  • PipPipPipPip
  • 4 posts
  • FM Application:12 Advance
  • Platform:Mac OS X Mountain Lion
  • Skill Level:Expert
  • Certification:7, 9, 10, 11, 12
  • Membership:TechNet, FileMaker Business Alliance, FIleMaker Platinum Member

Posted 03 July 2013 - 06:10 AM

I know I am a little late replying to this, but it may help someone else viewing this thread.

 

In FileMaker the option save PDF with a password, does not encrypt the PDF.  It just requires the password to open it or a cracker.  Therefore, it is my opinion that this does not meet HIPAA compliance if this PDF was emailed.

 

Tim


  • 1

#9 jbante  

jbante
  • Members
  • 381 posts
  • LocationNC, USA
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Expert
  • Certification:7, 9, 10, 11, 12
  • Membership:TechNet, FileMaker Business Alliance, FIleMaker Platinum Member
  • Time Online: 8d 13h 37m 42s

Posted 03 July 2013 - 07:43 AM

Matt didn't make any mention of a PDF being exported from FileMaker. But I agree, a PDF that is only password protected, but not encrypted, is not reasonably protected for the purposes of HIPAA.

 

Antidote, saying that "it just requires a password to open" is not a solid argument that a document is insecure. Shared secrets are a widespread accepted practice in cryptosystems. Practical encryption should "just require a password to open." The document is only insecure (for HIPAA purposes) if the data in it can be read without the password or any attempt to "crack" (i.e. guess) the password.


  • 0

#10 Matt Klein  Certified Developer

Matt Klein
  • Members
  • 387 posts
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Intermediate
  • Certification:8, 11
  • Membership:TechNet, FileMaker Business Alliance
  • Time Online: 1d 15h 10m 32s

Posted 30 July 2013 - 12:21 PM

Antidote -

 

I'm going to politely disagree with you, though I'm open to be proven wrong,  regarding "In FileMaker the option save PDF with a password, does not encrypt the PDF."

 

I just ran a few tests.   The first was simply applying a user password, aka the password required to open the PDF,  to a PDF created by FileMaker.    I then opened that PDF and went to Edit>Protection>Security Properties.  I then clicked Advanced on the Security tab and it shows the Encryption level to be 128-bit AES.

 

I then ran a test by applying an owner password, aka the password required to control the restrictions such as allowing printing, copying filling of form fields, etc.    I then check the Encryption level and it was at 128-bit AES.

 

That said,  I definitely don't think that simply applying a user password is enough for HIPAA purposes.   We apply both an owner AND a user password to the PDF.

 

 

Jaesonborn -

 

I agree.  Nothing is completely safe these days.  I believe that is why HIPAA uses terms like "reasonable effort" and "best effort".

 

 

 

We ended up taking it a step further and we encapsulate the password protected/encrypted PDF in a 256-bit AES encrypted ZIP file before attaching it to the e-mail.


  • 1

#11 jbante  

jbante
  • Members
  • 381 posts
  • LocationNC, USA
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Expert
  • Certification:7, 9, 10, 11, 12
  • Membership:TechNet, FileMaker Business Alliance, FIleMaker Platinum Member
  • Time Online: 8d 13h 37m 42s

Posted 30 July 2013 - 02:01 PM

That said,  I definitely don't think that simply applying a user password is enough for HIPAA purposes.

 

I disagree. HIPAA does not specify particular methods or levels of encryption necessary to satisfy any of its rules. If the encryption is good enough for classified documents up to "secret" level (which AES 128 is), it's "reasonable and appropriate" for HIPAA. I'm not familiar with the details of PDF security, but I know the AES algorithm has no concept of an "owner," only an encryption key. Adding a username to a password-protected PDF can't do anything to improve the strength of the encryption.


  • 0

#12 Matt Klein  Certified Developer

Matt Klein
  • Members
  • 387 posts
  • FM Application:13 Advance
  • Platform:Cross Platform
  • Skill Level:Intermediate
  • Certification:8, 11
  • Membership:TechNet, FileMaker Business Alliance
  • Time Online: 1d 15h 10m 32s

Posted 31 July 2013 - 05:09 AM

Adding a username to a password-protected PDF can't do anything to improve the strength of the encryption.

 

I agree.  I only distinguished between the user and owner passwords in my post because, in the PDF world,  they have different purposes.   But, I agree,  having both passwords doesn't likely change the encryption.   

 

Not using an owner password will leave the PDF in a vulnerable state and allow the user to possibly change the document in some way.    Perhaps that's not a HIPAA concern. 

 

It IS something that we need to worry about in the medical industry as there are other legislative bodies that require documents to be protected from modification after they are signed off on.


  • 0




FMForum Advertisers