Ascension Health HIPAA Web Site
Maintained by Don Stry, Information Services Division
(812) 228-2131 Email: dstry@ascensionhealth.org

CMS Transcript on Email Encryption From 02/02/03 Audio Conference

Hosted by the HHS Centers for Medicare & Medicaid Services (CMS)

Transcript excerpt from the Feb. 2, 2003 CMS HIPAA audio conference:

Question from caller on the Feb. 2, 2003 CMS HIPAA audio conference: You mentioned in the first part of the meeting about encryption of e-mail. Could you go over that again or just the need to not encrypting e-mail?

Response from Karen Trudel, Director, HIPAA Project Staff, CMS: Yes, I can answer that. Initially the proposed rule required that all transmissions over an open network be encrypted. We have since decided that - and the Final Rule reflects this - that it is not required to encrypt transmissions over an open network. It is something that the covered entity needs to assess to determine whether that is appropriate for them and under what circumstances. For instance, Medicare does not even accept transmissions over the Internet at all. So that is something that each covered entity needs to think about.

What I said about encrypting e-mail was that one of the considerations that we had was that especially for small health care providers who are communicating among each other via e-mail to discuss patient care, requiring that those transmissions be encrypted could have a chilling effect on patient care. And therefore, that was one of the considerations that caused us to make this an addressable implementation specification. Therefore, the general rule is encryption over an open network is “addressable”.

This means that the covered entity needs to look at whether they need to do it, make a decision as to whether it's right for them or wrong, and then either implement or document what else they're going to do to keep communications over an open network like the Internet safe and secure.

And one thing - someone who's a provider told me that what they do, when they do Internet e-mail communication with their patients is that they tell the patient ahead of time, if you're going to e-mail me, you must understand that the Internet is inherently an insecure medium. And if you're going to use it, you need to accept that risk. And essentially that is one of the other things that they've put in place to increase the awareness on the part of the patient as to whether they want to accept that risk or not.

End of transcript excerpt, but there is a complete transcript of the 2/28/03 CMS HIPAA Roundtable you will be able to download this file from the CMS website at http://www.cms.hhs.gov/hipaa/hipaa2/

=============

<<Back