Echoworx Healthcare Privacy Solution Whitepaper

The Echoworx
Healthcare Encryption
Solution helps you to
comply to HIPAA
regulations

Toronto
4101 Yonge Street
Suite 708,
Toronto, ON, Canada
M2P 1N6

Atlanta
1890 The Exchange
Atlanta, GA
30339

London
27 Old Gloucester Street
London, United Kingdom
WC1N 3AX

Proprietary and confidential; for use by intended recipient only.

Introduction

Businesses  including   Healthcare  organiza3ons   are  required   by  law   to  protect   vital   email  and  data  
communica3ons.     Healthcare   providers,  lawyers,   financial   advisors,   accountants,   educators,  and  
other   professional  advisors   have  ethical   and   fiduciary  du3es   to  keep   personal   informa3on  about  
their   clients’  confiden3al   informa3on.    Healthcare   providers  need   to  be   able  to   trust  their   email  
communica3ons  and  reduce  the  risk  of  damage  to  their  brand  resul3ng  from  informa3on  obtained  
through  intercepted  email.    Consumers  are  concerned   about  personal  security,  privacy,  fraud  and  
iden3ty  theB.  

Governments   have   also   enacted   legisla3ve   measures   to   protect   the   privacy   of   personal  
informa3on   which   either   expressly   or   impliedly   apply   to   personal   informa3on   communicated  
electronically.     Federal   and   state  governments  have  enacted  legisla3on  that   protect  the  privacy   of  
personal   informa3on   generally,   as   well   as   industry-­‐specific   legisla3on   that   protects   confiden3al  
informa3on  from  unauthorized  disclosure  and  use.  

Privacy   legisla3on   imposes   a   general   obliga3on   on   businesses   and   government   to   protect   the  
privacy   and   security   of   personal   and   private   informa3on.     Some   privacy   legisla3on   expressly  
requires   that   specific   measures   be   taken   to   protect   against   unauthorized   disclosure   of  
electronically   stored   or   communicated   informa3on.    The   test  is   whether   “reasonable   measures”  
have  been   considered  and   implemented  to  protect  the   privacy  of  personal   informa3on.     There  is  
no   longer   a   reasonable   expecta3on   that   email   cannot   be   intercepted   and   read   without  
authoriza3on.    

HIPAA   mandates   the   privacy   and   security   of   protected   health   informa3on   (PHI).   The   HIPAA  
security   rule   was   published   in   May   2003   and   subject   to   enforcement   for   all   covered   en33es  
star3ng   in   April   2005.  Given   the   produc3vity  gains   for   healthcare  professionals   to   communicate  
with  pa3ents  and   other   doctors   and   health  professionals  via  email,  healthcare  organiza3ons  need  
to  leverage  real-­‐3me  electronic  communica3ons,  but  do  so  securely.
    New HIPAA
HIPAA at a glance Requirements

On February 17, 2009,

The   Health   Insurance   Portability   and   Accountability   Act   of   1996   (HIPAA)   establishes   na3onal   President Obama signed
standards   to   protect   the   privacy  of   personal   health   informa3on   by  establishing   standards   that   the American Recovery
protect  individually  iden3fiable  health  informa3on.       and Reinvestment Act
into law. Embedded in
Health   informa3on   is   defined   as   any   informa3on,  whether   oral   or   recorded   in   any   form,   that   the lengthy Stimulus Bill
is the Health Information
relates  to   the   past,  present   or   future  condi3on   of   an   individual   (HIPAA   §  1171(4)).     Individually  
Technology for Economic
iden3fiable   health   informa3on   is   defined   as   health   informa3on   that   iden3fies  the  individual   or   and Clinical Health Act
with  respect  to   which   there  is   a  reasonable  basis   to  believe  that   the  informa3on  can  be  used   to   ("HITECH Act") which
iden3fy  the  individual.   significantly expands
the scope of HIPAA.
HIPAA  is  intended   to  ensure  that  health  plans,  doctors,  hospitals  and  other  health  care  providers   Many of the lawʼs new
HIPAA requirements take
take   appropriate   measures   to  control   how   personal   health   informa3on  such  as   pa3ents’  health   effect at the beginning of
records,  test  results,  x-­‐rays,  and  prescrip3ons,  is  used,  disclosed  and  protected.     2010, so providers and
other covered entities
In  order  to  take  advantage  of  email  communica3on   for  the  efficient   and  3mely  transfer  of  pa3ent   should begin planning for
informa3on,   health   care   prac33oners   must   take   reasonable   measures   to   ensure   that   this   compliance now.
informa3on  is  protected  from  unauthorized  access  and  disclosure.    

Echoworx Healthcare Privacy Whitepaper

Who is impacted by HIPAA?
HIPAA   states   that   security   standards   and   requirements   for   the   maintenance   or   electronic   Did you know?
transmission  of  health  informa3on  apply  to  the  following  persons:    
The main government
agencies that enforce
• Health   Plans:  generally  including   health,  dental,   vision   and   prescrip3on  drug  insurers,  HMOs,   HIPAA violations are the:
Medicare,  Medicaid,  and  long-­‐term  care  insurers;  
CMS: Center of Medicare
& Medicaid Services
• Health  Care  Clearinghouses:     for  example,  billing  services,  repricing  companies  or  a  community  
health  management  informa3on  systems;  and   O C R : O f fi c e o f C i v i l
Rights

• Health   Care   Providers   who   transmit   any  health   informa3on   in   electronic   form   in   connec3on   O I G : O f fi c e o f t h e
with  a  transac3on  for  a  “covered  en3ty”.     Inspector General.

HIPAA  dictates  that  organiza3ons  must  ensure  that:

• Email   messages  containing   protected   health   informa3on   are  secured,  even   when   transmiaed  
via  unencrypted  links

• Senders  and  recipients  are  properly  verified  via  person  or  en3ty  authen3ca3on

• Email  servers  and  the  messages  they  contain  are  protected

HIPAA requires emails to be secured for sending

Did you know?
Encrypted  email  is  an  important  communica3ons  channel  for  health  care  professionals.     According to the OIG and
Each   person   listed   above   who   maintains   or   transmits   health   informa3on   must   maintain   CMS, there have been
reasonable  and  appropriate  administra3ve,  technical,  and  physical  safeguards  to  ensure   over 41,000 cases
r e p o r t e d o f H I PA A
the  integrity  and   confiden3ality  of  the  informa3on   (HIPAA  §  1173(d)(2)).    These  safeguards   must  
violations since 2003.
also  protect   against   any   reasonably  an3cipated   threats  or   hazards  to  the   security   or    integrity   of  
the  informa3on  and  unauthorized  uses  or  disclosures  of  the  informa3on.    

Under  HIPAA,  the  Department  of  Health  and  Human  Services  publishes  a  Security  Rule  manda3ng  
that   each   covered   en3ty   develop   policies,   procedures   and   con3ngency   plans   for   securing  
informa3on.    The   HIPAA  Security  Rule  does  not   expressly  prohibit   the   use  of   email   for   sending  
electronic   protected   health  informa3on   (PHI).  The  Security   Rule   allows   for   electronic   PHI  to   be  
sent  over  an  electronic  open  network  as  long  as  it  is  adequately  protected.  

The  standards  for:  

•  access  control,  (45  CFR  §  164.312(a))  

•  integrity  (45  CFR  §  164.312(c)(1)),  and    
•  transmission  security  (45  CFR  §  164.312(e)(1))
   
require   covered   en33es  to   implement   policies  and   procedures  to   restrict   access   to,  protect   the  
integrity  of,  and  guard  against  the  unauthorized  access  to  electronic  PHI.    

The   standard   for   transmission   security   (§   164.312(e))   also   includes   specifica3ons   for   integrity  
controls  and   encryp3on.  This  means  that  the  covered   en3ty  must  assess  its   use  of  open  networks,  
iden3fy  the  available  and  appropriate  means  to  protect  electronic  PHI  as  it  is  transmiaed,  select  a  
solu3on,  and  document  the  decision.  

Echoworx Healthcare Privacy Whitepaper

Liability of Breach of HIPAA
In  general,  fines  can  be  imposed  by  the   Department   of  Health  and  Human   Services  on  a  person   Did you know?
who   does  not  comply  with   standards  set   forth   under   HIPAA  (HIPAA   §  1176(1)).    The  fine   can  be  
The main government
imposed  each   3me   an   incident   of   non-­‐compliance  occurs,  but   will  be   capped   at   a  maximum   of   agencies that enforce
$25,000   per   calendar   year.     The   fine   may   not   be   imposed   if   the   failure   to   comply   with   the   HIPAA violations are the:
standards  was  due  to   reasonable  cause  rather  than   to  willful   neglect  and  the  issue   resul3ng  in  a    
CMS: Center of Medicare
failure  to   comply  is   corrected   within  30   days   of  when   the   person   liable   for  the  penalty  knew  or   & Medicaid Services
should  have   known   about  the  lack  of   compliance   (HIPAA  §  1176(b)(3)).  In   addi3on,  a  person  who  
knowingly  obtains  or  discloses  individually  iden3fiable  health  informa3on  in  viola3on  of  HIPAA.   O C R : O f fi c e o f C i v i l
Rights

Under   HIPAA,  the  Department  of  Health  and  Human  Services  publishes  a  Security  Rule  manda3ng   O I G : O f fi c e o f t h e
that   each   covered   en3ty  faces   a   fine   of   $50,000   and   up   to   one-­‐year   imprisonment   (HIPAA   §   Inspector General.
1177).     The   criminal   penal3es   increase   to   $100,000   and   up   to   five   years  imprisonment   if   the  
wrongful  conduct  involves  false  pretenses,  and  to   $250,000   and   up  to  ten   years   imprisonment   if  
the  wrongful   conduct   involves  the   intent   to   sell,   transfer,  or   use  individually  iden3fiable  health  
informa3on  for  commercial  advantage,  personal  gain,  or  malicious  harm  (HIPAA  §  1177).  
Encrypted Mail
How Echoworx Encryption helps you to comply to HIPAA? Gateway

Echoworx   delivers   the   highest   level   of   email   and   data   security   by   providing   a   strong   email   EMG end users do not
require any training, since
encryp3on   and   document   encryp3on   solu3on.     From   the   beginning,  Echoworx   has  focused   on  
policy enforcement and
providing  the  most  secure  email   encryp3on   solu3ons  while  making  the   solu3on  the   easiest  to  use   encryption is completely
in   the   industry.     Echoworx   encryp3on   products   provide   strong   protec3on   for   data   while   trans- parent. A user simply
transmisson  over  open  networks  due  to  the   use  of  security  standards  such  as  PKI,  S/MIME,  X.509,   composes the email, and the
and  TLS. content is automatically
scanned to detect whether
the message should be
Echoworx Encrypted Mail Gateway (EMG) encrypted before it is sent.
Echoworx   Encrypted   Mail   Gateway   (EMG)   makes   secure   messaging   as   easy   to   use   and   Standards-based
transparent   as   normal   email.     EMG   allows   Healthcare   providers   to   set   flexible   policies   that   Encryption
automate  the   encryp3on   of  outbound   email  which  mi3gate  the  risks  of  regulatory  viola3ons,  data   PKI, S/MIME and X.509 AES,
loss   and  corporate  policy  viola3ons,  without  impac3ng  day  to  day  business  ac3vi3es.    EMG  makes   128- bit SSL, 1024 bit RSA
it   easy  to   share   sensi3ve   informa3on   with   other   healthcare  providers,   pa3ents,   and   individual   keys with MDS and SHA-1 for
strong encryption and digital
physician  offices.
signature.
Rapid Deployment
With  EMG  there   is  no   user   training  required  as  email   is  encrypted   at   the  boundary  or   gateway   A few deployment options are
based   on   triggered   policies.  The   Echoworx   EMG   solu3on   automa3cally  and   dynamically  applies   available based on a
encryp3on  or   decryp3on   based   on  your   organiza3on’s  policies,  right  at  the   gateway.  As   a  result,   companyʼs preferred
end  users  do  not   require  any  special  training  or  need  to   download  any  special  soBware  to  use  the   configuration.
Secure Reply
service. EMG allows anyone who
receives an Encrypted Mail
message to respond securely
without installing any
software.

Echoworx Healthcare Privacy Whitepaper

 Policy Driven Encryption for HIPAA

Using  a  simple  point-­‐and-­‐click  web  interface,  enterprises  can  easily  set  their  email  encryp3on  and  
DLP   policies  for   their   email   content,   and  can   review   and  customize  these   rules   when  necessary.  
Enterprises  can  u3lize  the   EMG  admin  console  to  access  audit  reports  that   will  iden3fy  corporate   Did you know?
email  risks   and  where  they  can   monitor   ongoing  communica3on  and   if   necessary,  alter   the   email  
encryp3on  and  DLP  policies  to  mi3gate  risks.   The list of 2010
Healthcare Common
Procedure Codes
The   EMG   Policy   Engine   allows   healthcare   organiza3ons   to   implement   encryp3on   based   on   (HCPCS) contain over
specific  message  content  and  sender  or  recipient  iden3ty,  or  as  follows: 9,600 expressions. All of
the 2010 HCPCS codes
• Confiden3al   informa3on   –   social   insurance,   credit   card,   account   numbers,   banking   are built into the
Echoworx EMG solution.
transac3ons,  loans  and  balances
• Pa3ent  informa3on  -­‐  Pa3ent  numbers,  Medical  record  numbers
• Insurance  Informa3on  -­‐  NDC  Drug  Numbers
• HCPCS  Codes  for  2010
• HIPAA  oriented  keywords  and  regular  expressions
• Include  domain  names,  specific  groups  within  the  organiza3on
• Health  Informa3on  (pa3ent  iden3fiers,  health  condi3ons)
• Unique   terminology   –   specific   to   healthcare   ver3cals,   pertaining   to   proprietary  
informa3on  or  intellectual  property
• All   of   the   above   can   also   relate   to   message   aaachments   such   as   excel   spreadsheets,  
PDFs  or  executable  (*.EXE)  files

Additional HIPAA Resources

Department  of  Health  &  Human  Services  -­‐  HIPAA
The   official   central   governmental   hub   for   all   HIPAA   issues   including   rules,   standards   and  
implementa3on  guides.
hap://www.hhs.gov/ocr/hipaa/
Health  Insurance  Portability  and  Accountability  Act  -­‐  Wikipedia  ...
The   The   Health   Insurance   Portability   and   Accountability   Act   (HIPAA)   of   1996   (P.L.
104-­‐191)  [HIPAA]  was  enacted  by  the  U.S.  Congress  in  1996.  ...
hap://en.wikipedia.org/.../Health_Insurance_Portability_and_Accountability_Act
P.L.  104-­‐191
HEALTH   INSURANCE  PORTABILITY  AND   ACCOUNTABILITY  ACT   OF  1996   .....Comments/
sugges3ons  and  other  ques3ons  about  HIPAA  should  be  directed  to  the  Web  Master.
hap://aspe.hhs.gov/admnsimp/pl104191.htm

Echoworx Healthcare Privacy Whitepaper

About Echoworx

Echoworx   is   a   provider   of   security   solu3ons   for   enhancing   privacy   and   trust   in   digital  
communica3ons.   Echoworx   privacy   applica3ons   leverage   the   power   of   Echoworx   Encryp3on  
Services   (EES)   platorm,   which   is   hosted   at   Secure   Data   Centers   around   the   globe.   All   data   is  
encrypted   using   industry   trusted   standard   PKI   (Public   Key   Infrastructure)   and   S/MIME  
technologies  for   strong   encryp3on   and   digital   signatures,  relying   on   standard   X.509   cer3ficates.  
Echoworx  data  privacy  applica3ons  include:  Encrypted  Mail,  Policy-­‐based  Encrypted   Mail  Gateway,  
Encrypted   Documents,   Encrypted   Document   Presentment,   and   Encrypted   Message   eXchange.  
Echoworx   products  are  currently  offered   by  leading  communica3on   providers  that  include:  AT&T,  
BT,  Symantec,  LogicaCMG,  Telus,  and  Verizon.

Copyright © 2010 – Echoworx Corporation. Do Not Distribute Without Permission.

All rights reserved.

This document is the intellectual, proprietary and confidential property of Echoworx Corporation. This document is
provided for informational purposes only and Echoworx makes no warranties, either express or implied. Information in
this document, including URLs and other Internet references, are subject to change without notice. The entire risk of
the use or the results of the use of this document remains with the user.

By accepting possession of this document the recipient agrees to keep the contents of this document in confidence
and not to redistribute, duplicate, or disclose the contents of this document unless otherwise agreed to by Echoworx
Corporation.

Echoworx Corporation. 4101 Yonge Street, Suite 708, Toronto, Ontario M2P 1N6 Canada, http://www.echoworx.com/