Password Protected PDF HIPAA Compliant?

[Matt Klein]

I have scoured the internet to find out if attaching a Password protected PDF to an email is HIPAA compliant. All I see talked about is encrypting the email itself.

Does anyone know if attaching an encrypted, password protected PDF to an email is considered HIPAA compliant?

[jbante]

HIPAA is intentionally vague about specific technical practices like whether it's enough to encrypt just an attachment, or if the whole email has to be encrypted. This is because lawmakers can't predict what security issues or resolutions may come up as new technology is developed. The important thing is that you have a documented policy describing what's acceptable for your organization and why you made that decision.

If the ePHI you're protecting is in the PDF and not in the email, I'd say that encrypting the PDF (so long as the password is nowhere near the email) is a defensible practice. (I have worked on systems with HIPAA-regulated data, but I'm not a lawyer, so don't take my word for it.)

[Matt Klein]

HIPAA is intentionally vague about specific technical practices like whether it's enough to encrypt just an attachment, or if the whole email has to be encrypted. This is because lawmakers can't predict what security issues or resolutions may come up as new technology is developed. The important thing is that you have a documented policy describing what's acceptable for your organization and why you made that decision.

If the ePHI you're protecting is in the PDF and not in the email, I'd say that encrypting the PDF (so long as the password is nowhere near the email) is a defensible practice. (I have worked on systems with HIPAA-regulated data, but I'm not a lawyer, so don't take my word for it.)

Thanks for the reply Jeremy. I find HIPAA to entirely vague. I have found no specific outline of what is expected. Just conversations between those of us that are in the industry trying to ensure we and our clients are properly protected.

Assuming that the ePHI only exists in the PDF and the PDF is encrypted with a password, is it sufficient to allow our clients to decide whether to email the ePHI as password encrypted PDFs?

[jbante]

I'd say that emailing password protected PDFs is probably acceptable; but if your clients are emailing these PDFs outside the organization, there is a policy complication. If the HIPAA-regulated client of yours is hoping to share ePHI with an outside party (perhaps you, for example), the client needs to secure a contract with the outside party that includes terms forcing the outside party to protect the security of that data. Basically, HIPAA says that if your client is going to share data, they need a (legally binding) promise from the outside party that they'll take good care of it, too. This is often handled by the NDA portion of contractor and consulting agreements.

[Matt Klein]

I'd say that emailing password protected PDFs is probably acceptable; but if your clients are emailing these PDFs outside the organization, there is a policy complication. If the HIPAA-regulated client of yours is hoping to share ePHI with an outside party (perhaps you, for example), the client needs to secure a contract with the outside party that includes terms forcing the outside party to protect the security of that data. Basically, HIPAA says that if your client is going to share data, they need a (legally binding) promise from the outside party that they'll take good care of it, too. This is often handled by the NDA portion of contractor and consulting agreements.

Thanks again for the thoughts on this. The sharing of ePHI would be between our client, pathology lab, and their clients, MDs. So, it sounds like if our client has a BAA(Business Associates Agreement) with their client, then emailing a password encrypted PDF with ePHI should be compliant.

Does that sound about right?

[jbante]

I'm not a lawyer, but that sounds about right.

[Jaesonborn]

Can anything be safe these days? I mean, they have entire networks dedicated to these kind of things. No amount of protection can stop them from messing with you.

[antidote]

I know I am a little late replying to this, but it may help someone else viewing this thread.

 

In FileMaker the option save PDF with a password, does not encrypt the PDF.  It just requires the password to open it or a cracker.  Therefore, it is my opinion that this does not meet HIPAA compliance if this PDF was emailed.

 

Tim

[jbante]

Matt didn't make any mention of a PDF being exported from FileMaker. But I agree, a PDF that is only password protected, but not encrypted, is not reasonably protected for the purposes of HIPAA.

 

Antidote, saying that "it just requires a password to open" is not a solid argument that a document is insecure. Shared secrets are a widespread accepted practice in cryptosystems. Practical encryption should "just require a password to open." The document is only insecure (for HIPAA purposes) if the data in it can be read without the password or any attempt to "crack" (i.e. guess) the password.

[Matt Klein]

Antidote -

 

I'm going to politely disagree with you, though I'm open to be proven wrong,  regarding "In FileMaker the option save PDF with a password, does not encrypt the PDF."

 

I just ran a few tests.   The first was simply applying a user password, aka the password required to open the PDF,  to a PDF created by FileMaker.    I then opened that PDF and went to Edit>Protection>Security Properties.  I then clicked Advanced on the Security tab and it shows the Encryption level to be 128-bit AES.

 

I then ran a test by applying an owner password, aka the password required to control the restrictions such as allowing printing, copying filling of form fields, etc.    I then check the Encryption level and it was at 128-bit AES.

 

That said,  I definitely don't think that simply applying a user password is enough for HIPAA purposes.   We apply both an owner AND a user password to the PDF.

 

 

Jaesonborn -

 

I agree.  Nothing is completely safe these days.  I believe that is why HIPAA uses terms like "reasonable effort" and "best effort".

 

 

 

We ended up taking it a step further and we encapsulate the password protected/encrypted PDF in a 256-bit AES encrypted ZIP file before attaching it to the e-mail.

[jbante]

That said,  I definitely don't think that simply applying a user password is enough for HIPAA purposes.

 

I disagree. HIPAA does not specify particular methods or levels of encryption necessary to satisfy any of its rules. If the encryption is good enough for classified documents up to "secret" level (which AES 128 is), it's "reasonable and appropriate" for HIPAA. I'm not familiar with the details of PDF security, but I know the AES algorithm has no concept of an "owner," only an encryption key. Adding a username to a password-protected PDF can't do anything to improve the strength of the encryption.

[Matt Klein]

Adding a username to a password-protected PDF can't do anything to improve the strength of the encryption.

 

I agree.  I only distinguished between the user and owner passwords in my post because, in the PDF world,  they have different purposes.   But, I agree,  having both passwords doesn't likely change the encryption.   

 

Not using an owner password will leave the PDF in a vulnerable state and allow the user to possibly change the document in some way.    Perhaps that's not a HIPAA concern. 

 

It IS something that we need to worry about in the medical industry as there are other legislative bodies that require documents to be protected from modification after they are signed off on.

[Chris Moyer]

Very late addition to this discussion, but thought I'd toss it in for future reference. Unencrypted email is permitted, given certain caveats. From HHS:

 

http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html

 

Excerpt:

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients? Answer:

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530©. For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.