6 replies to this topic

[Matt Klein]

I have scoured the internet to find out if attaching a Password protected PDF to an email is HIPAA compliant.   All I see talked about is encrypting the email itself.

Does anyone know if attaching an encrypted, password protected PDF to an email is considered HIPAA compliant?

[Jeremy Bante]

HIPAA is intentionally vague about specific technical practices like whether it's enough to encrypt just an attachment, or if the whole email has to be encrypted. This is because lawmakers can't predict what security issues or resolutions may come up as new technology is developed. The important thing is that you have a documented policy describing what's acceptable for your organization and why you made that decision.

If the ePHI you're protecting is in the PDF and not in the email, I'd say that encrypting the PDF (so long as the password is nowhere near the email) is a defensible practice. (I have worked on systems with HIPAA-regulated data, but I'm not a lawyer, so don't take my word for it.)

[Matt Klein]

Jeremy Bante, on 07 February 2012 - 08:52 AM, said:

HIPAA is intentionally vague about specific technical practices like whether it's enough to encrypt just an attachment, or if the whole email has to be encrypted. This is because lawmakers can't predict what security issues or resolutions may come up as new technology is developed. The important thing is that you have a documented policy describing what's acceptable for your organization and why you made that decision.

If the ePHI you're protecting is in the PDF and not in the email, I'd say that encrypting the PDF (so long as the password is nowhere near the email) is a defensible practice. (I have worked on systems with HIPAA-regulated data, but I'm not a lawyer, so don't take my word for it.)

Thanks for the reply Jeremy.   I find HIPAA to entirely vague.  I have found no specific outline of what is expected.  Just conversations between those of us that are in the industry trying to ensure we and our clients are properly protected.

Assuming that the ePHI only exists in the PDF and the PDF is encrypted with a password,  is it sufficient to allow our clients to decide whether to email the ePHI as password encrypted PDFs?

[Jeremy Bante]

I'd say that emailing password protected PDFs is probably acceptable; but if your clients are emailing these PDFs outside the organization, there is a policy complication. If the HIPAA-regulated client of yours is hoping to share ePHI with an outside party (perhaps you, for example), the client needs to secure a contract with the outside party that includes terms forcing the outside party to protect the security of that data. Basically, HIPAA says that if your client is going to share data, they need a (legally binding) promise from the outside party that they'll take good care of it, too. This is often handled by the NDA portion of contractor and consulting agreements.

[Matt Klein]

Jeremy Bante, on 08 February 2012 - 08:12 AM, said:

I'd say that emailing password protected PDFs is probably acceptable; but if your clients are emailing these PDFs outside the organization, there is a policy complication. If the HIPAA-regulated client of yours is hoping to share ePHI with an outside party (perhaps you, for example), the client needs to secure a contract with the outside party that includes terms forcing the outside party to protect the security of that data. Basically, HIPAA says that if your client is going to share data, they need a (legally binding) promise from the outside party that they'll take good care of it, too. This is often handled by the NDA portion of contractor and consulting agreements.

Thanks again for the thoughts on this.   The sharing of ePHI would be between our client, pathology lab,  and their clients, MDs.    So,  it sounds like if our client has a BAA(Business Associates Agreement) with their client, then emailing a password encrypted PDF with ePHI should be compliant.

Does that sound about right?

[Jeremy Bante]

I'm not a lawyer, but that sounds about right.

[Jaesonborn]

Can anything be safe these days? I mean, they have entire networks dedicated to these kind of things. No amount of protection can stop them from messing with you.