IMC membership | Features chart | Newsletter | Internet Mail standards
Definitions | Reports | Internationalization
HIPAA | Spam | MIME test | vCard/vCalendar
S/MIME and PGP/MIME | Other organizations | IMC home
Privacy and authentication on the Internet are always hotly-debated topics. Different people have wildly different views on how to balance privacy with law enforcement, and how to balance authentication with privacy. The fact that many countries have radically different laws about privacy makes an international debate all that much harder to hold.
Within the privacy debate, one of the sub-topics that has personal meaning for many people is the transmission of medical records over the Internet. As the medical world moves from paper to electronic records, many people have become frightened by the careless handling of these records, such as when a hospital or doctor accidentally makes patient records accessible over the Internet.
In 1996, the U.S. passed a large healthcare law called the "Health Insurance Portability and Accountability Act", commonly referred to as "HIPAA". The law has many parts, but one that has generated a great deal of concern in the U.S. health care industry is the section on privacy of patient records. That section caused the U.S. Department of Health and Human Services to create rules about patients' access to their medical records and control over the use of their personal health information. More significantly for the health industry, the rule also describes the responsibility for health care providers and health plans to protect the privacy of the patients' records. These providers must follow those rules starting in 2003 and 2004.
The new rules are fairly extensive. The part most relevant to the Internet mail industry is the rule requiring "securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them." The rules do not specify which technologies should be used to preserve confidentiality of patient records, so individual health care facilities can chose which technologies will best suit their needs while being secure enough to prevent improper access to patient records.
Many health care companies already use secure email, usually with the S/MIME standard, for their internal use, while others are in various states of deployment of S/MIME or PGP. Secure mail systems that are used for site-to-site or end-to-end encryption will prevent snooping of patient records between the two sites. Most secure mail systems today allow for unrelated sites that have a common trusted third party to easily encrypt all of the mail traffic between the sites. Secure mail can also be used for sending mail directly to patients. Thus, there is a great deal of interest in using secure mail to comply with parts of the HIPAA rules.
Because secure mail is considered to be a good means for securing patient records over the Internet, many of IMC's members have created HIPAA-specific information for their customers. The following lists links from IMC's members.
More links are expected to be added in the near future.The U.S. government has two significant sites about HIPAA:
- http://www.hhs.gov/ocr/hipaa/
- http://www.hcfa.gov/hipaa/hipaahm.htm
Both sites are good starting places for health care professionals
and those who are creating secure services for them.
There is also a conference on HIPAA covering a wide range of legal and technical issues.