HIPAA compliance & email encryption

arwesarwes Member Posts: 633 ■■■□□□□□□□
Due to some changes in HIPAA (eff 2/17/10), we (life & health insurance agency) will be held to the same privacy & security rules as healthcare providers. As such, I've been tasked with finding a decent HIPAA compliant encryption provider to use with our Exchange 2003 setup. At my last job, we used Zixcorp but from my experience it tended to confuse end users when retrieving their attachments.

Any other recommendations? My boss is leaning toward Cipherpost from AppRiver (we already use them for spam filtering). I've had great dealings with their support dept as well.
[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size]

Comments

  • arwesarwes Member Posts: 633 ■■■□□□□□□□
    Well we tried Cipherpost from AppRiver and found out that it doesn't work with Windows Server 2003 and terminal services. Any suggestions for an alternative?
    [size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
    Working on: Waiting on the mailman to bring me a diploma
    What's left: Graduation![/size]
  • ClaymooreClaymoore Member Posts: 1,637
    Does the mail need to be encrypted at rest or in transit? If you only need to encrypt the mail in transit, TLS encryption is the best choice, but it is easier to implement in 2007 or 2010 because both support opportunistic TLS. Your current smart host may also support opportunistic TLS where it would automatically encrypt the email transmission between servers.

    For encryption at rest, I recommend something like Ironport that will automatically encrypt messages based on rules. Cisco will also manage the keys for you which eliminates a huge hassel. Exchange 2010 can also encrypt messages based on transport rules, but you will have to manage the keys with RMS yourself.

    Only look at a local pgp client if you plan on quitting soon and you hate your coworkers.
  • arwesarwes Member Posts: 633 ■■■□□□□□□□
    Thanks for the reply. Yeah it would have to be at rest. I've got an email off looking into pricing for hosted IronPort, and haven't heard anything back yet. That said, I just love the people I work with. I got back to work on Monday (was in the Bahamas all last week), and the Life & Health sales manager says oh yeah, we need encrypted email for my employees by Wednesday. There's no telling how long he's actually known this was needed, and knowing our luck we'll be audited tomorrow LOL. icon_sad.gif
    [size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
    Working on: Waiting on the mailman to bring me a diploma
    What's left: Graduation![/size]
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    arwes wrote: »
    Thanks for the reply. Yeah it would have to be at rest. I've got an email off looking into pricing for hosted IronPort, and haven't heard anything back yet. That said, I just love the people I work with. I got back to work on Monday (was in the Bahamas all last week), and the Life & Health sales manager says oh yeah, we need encrypted email for my employees by Wednesday. There's no telling how long he's actually known this was needed, and knowing our luck we'll be audited tomorrow LOL. icon_sad.gif

    Tell me about it. I created a custom module for the shipping requirements of a major new customer. I sent out an email stating it needed to be tested before it was actually used. I copied the VP of Engineering and Project Management and the entire Shipping Department. 7 days later I get a phone call stating the first shipment needed to leave that night. Give me a flipping break. I have made it a part of my own internal process to follow up repeatedly on outstanding item, to the point that I become an annoyance.
  • arwesarwes Member Posts: 633 ■■■□□□□□□□
    Tell me about it. I created a custom module for the shipping requirements of a major new customer. I sent out an email stating it needed to be tested before it was actually used. I copied the VP of Engineering and Project Management and the entire Shipping Department. 7 days later I get a phone call stating the first shipment needed to leave that night. Give me a flipping break. I have made it a part of my own internal process to follow up repeatedly on outstanding item, to the point that I become an annoyance.

    LOL. Well my boss just came in and talked with me and apparently this went from 'funny' to 'LMAO'. These new HIPAA regulations? Yeah they went into effect January 2009. Yep, what we've had the last year was the one year grace period. He's thinking we don't actually have to offer email encryption based on what he's read in the rules (I'm not sure about that), but we're going to check with a larger company in Baton Rouge and see what they're doing (they've got about 800 users).
    [size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
    Working on: Waiting on the mailman to bring me a diploma
    What's left: Graduation![/size]
  • NuwinNuwin Member Posts: 75 ■■□□□□□□□□
    The place I'm at now doesn't offer any e-mail encryption. It is in our policy & procedures that any ePHI is not to be e-mailed, and users are subject to the discipline policy if found to be doing so, etc. etc.

    It seems to get us by. I never hear of any recommendations from our auditors.
    "By the power of Grayskull"
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    The standard is way to vague. But if you ARE sending PHI via email, you must use some sort of encryption as cost is just not an excuse. There are free methods out there, etc. Now if you go the way of Nuwin, there is still the concern of how do you ensure the PHI does not get sent in email? My wife works in mental health and HIPPA compliance for her agency is one of her job roles, so I know a little about this from my conversations with her, but not much more than that.

    The real PitA though is how vague HIPPA is, using words like reasonable and appropriate rather than setting concrete guidelines.
  • arwesarwes Member Posts: 633 ■■■□□□□□□□
    My last job was at a nonprofit hospital, and it was sold to a for profit company. The HIPAA compliance officer was a little overboard IMO. For instance, our server room had no terminals in it at all, all administration was handled from my office (a few Aviions running DG/UX, a AIX box and a AS/400). No routers, no switches. However, if work needed to be done in the server room (like working on the AC) they have to sign in and a member of the IT staff must remain in the room with them at all times (which usually ended up being me). Nothing like a good bit of plumber's crack before you get to go home. icon_sad.gif
    [size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
    Working on: Waiting on the mailman to bring me a diploma
    What's left: Graduation![/size]
  • jessica382jessica382 Member Posts: 1 ■□□□□□□□□□
    Hi

    You can contact Edifecs, they provide online services for HIPAA testing and certification. They have special Compliance Online program for this. Check this for more details on Hipaa certification and compliance online.
    Hope this helps you.
    Cheers.
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    We are tackling it with the IronPort. Same function as ZixCorp but looks to be the easiest for our situation.
  • arwesarwes Member Posts: 633 ■■■□□□□□□□
    Yeah, the only thing I ever got back from Cisco regarding Ironport was their QA survey on how my request was handled. Yeah, that wasn't pretty.

    We're using Cipherpost from Appriver but my boss seems to think that according to the wording of the new HIPAA stuff, we're in the clear regardless.
    [size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
    Working on: Waiting on the mailman to bring me a diploma
    What's left: Graduation![/size]
  • brad-brad- Member Posts: 1,218
    I havent had to implement it, but I have used some of PGP's products and liked them. They do have a 'universal gateway email' product too.
Sign In or Register to comment.