ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    o365 and HIPAA information between two different agencies

    IT Discussion
    7
    35
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @JaredBusch
      last edited by

      @JaredBusch said in o365 and HIPAA information between two different agencies:

      @Dashrender said in o365 and HIPAA information between two different agencies:

      @BRRABill said in o365 and HIPAA information between two different agencies:

      @Mike-Davis said

      If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?

      Do you mean does just doing that (sending the file via O365) make it compliant?

      Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.

      No, that is not what was ever said.

      I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.

      But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.

      Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say. 🙂

      JaredBuschJ 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @Dashrender
        last edited by

        @Dashrender said in o365 and HIPAA information between two different agencies:

        @JaredBusch said in o365 and HIPAA information between two different agencies:

        @Dashrender said in o365 and HIPAA information between two different agencies:

        @BRRABill said in o365 and HIPAA information between two different agencies:

        @Mike-Davis said

        If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?

        Do you mean does just doing that (sending the file via O365) make it compliant?

        Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.

        No, that is not what was ever said.

        I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.

        But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.

        Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say. 🙂

        Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.

        DashrenderD wirestyle22W 2 Replies Last reply Reply Quote 0
        • DashrenderD
          Dashrender @JaredBusch
          last edited by

          @JaredBusch said in o365 and HIPAA information between two different agencies:

          @Dashrender said in o365 and HIPAA information between two different agencies:

          @JaredBusch said in o365 and HIPAA information between two different agencies:

          @Dashrender said in o365 and HIPAA information between two different agencies:

          @BRRABill said in o365 and HIPAA information between two different agencies:

          @Mike-Davis said

          If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?

          Do you mean does just doing that (sending the file via O365) make it compliant?

          Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.

          No, that is not what was ever said.

          I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.

          But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.

          Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say. 🙂

          Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.

          LOl it wasn't vague in the least - easy to misinterpret, sure, worded in such a way that someone could draw any conclusion they wanted, but definitely not wrong.

          1 Reply Last reply Reply Quote 0
          • BRRABillB
            BRRABill
            last edited by

            What I meant to say was that there are like 5,000 things that go into HIPAA compliance. Which is why O365 would never say they are "HIPAA Compliant", but rather could be used as part of a company being compliant.

            For example if they are using Outlook and the file is then stored in a cache on a local machine, they are no longer compliant. Well, they could be, if it was also encrypted locally, inventoried, audited, etc., etc., etc..

            I just wanted to be sure the OP knew there was a lot more than just the transport to worry about.

            DashrenderD 1 Reply Last reply Reply Quote 1
            • Mike DavisM
              Mike Davis
              last edited by

              Thank you for all the responses. I understood what was meant.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @BRRABill
                last edited by

                @BRRABill said in o365 and HIPAA information between two different agencies:

                What I meant to say was that there are like 5,000 things that go into HIPAA compliance. Which is why O365 would never say they are "HIPAA Compliant", but rather could be used as part of a company being compliant.

                For example if they are using Outlook and the file is then stored in a cache on a local machine, they are no longer compliant. Well, they could be, if it was also encrypted locally, inventoried, audited, etc., etc., etc..

                I just wanted to be sure the OP knew there was a lot more than just the transport to worry about.

                Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.

                BRRABillB 1 Reply Last reply Reply Quote 1
                • BRRABillB
                  BRRABill @Dashrender
                  last edited by

                  @Dashrender said

                  Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.

                  Well, if you are going with that, neither does data in transmission.

                  But you better have a great reason for not doing it and a lot of documentation! 🙂

                  DashrenderD scottalanmillerS 3 Replies Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @BRRABill
                    last edited by

                    @BRRABill said in o365 and HIPAA information between two different agencies:

                    @Dashrender said

                    Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.

                    Well, if you are going with that, neither does data in transmission.

                    But you better have a great reason for not doing it and a lot of documentation! 🙂

                    heads to the internet to find the specific about data crossing a public network

                    1 Reply Last reply Reply Quote 0
                    • wirestyle22W
                      wirestyle22 @JaredBusch
                      last edited by

                      @JaredBusch said in o365 and HIPAA information between two different agencies:

                      @Dashrender said in o365 and HIPAA information between two different agencies:

                      @JaredBusch said in o365 and HIPAA information between two different agencies:

                      @Dashrender said in o365 and HIPAA information between two different agencies:

                      @BRRABill said in o365 and HIPAA information between two different agencies:

                      @Mike-Davis said

                      If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?

                      Do you mean does just doing that (sending the file via O365) make it compliant?

                      Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.

                      No, that is not what was ever said.

                      I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.

                      But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.

                      Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say. 🙂

                      Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.

                      I mean--look, I'm for it. I'm for guaranteed transport encryption. Okay? But it's coming into our country to do tremendous harm. I've had so many people call me and say thank you. You see them talking and they say "Trump has a point."

                      DashrenderD 1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Mike Davis
                        last edited by

                        @Mike-Davis said in o365 and HIPAA information between two different agencies:

                        If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?

                        That's correct. Pure O365 transmissions meet the HIPAA requirements.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in o365 and HIPAA information between two different agencies:

                          Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.

                          Does that wording exist somewhere? What makes one party more responsible than the other?

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @BRRABill
                            last edited by

                            @BRRABill said in o365 and HIPAA information between two different agencies:

                            @Dashrender said

                            Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.

                            Well, if you are going with that, neither does data in transmission.

                            But you better have a great reason for not doing it and a lot of documentation! 🙂

                            That correct, that fax is allowed, for example, or phone calls demonstrates that data encryption is never a requirement. It's just that IT staff take security so much more seriously by default.

                            1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @BRRABill
                              last edited by

                              @BRRABill said in o365 and HIPAA information between two different agencies:

                              @Dashrender said

                              Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.

                              Well, if you are going with that, neither does data in transmission.

                              But you better have a great reason for not doing it and a lot of documentation! 🙂

                              http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

                              These two parts seem to have the most to do with encryption over a network. It seems I misunderstood, it it addressable. So, you're right, not required - but so easy and cheap to implement, you better have a damned good reason not to. Assuming the at rest encryption is the same, that's pretty easy to fight because at rest encryption is often expensive, if not in actual dollars, in management, so that would be a reason to not do it on the end user devices. that said, I think where possible doing it on mobile devices is prudent.

                              164.312(a)(2)(iv)
                              (iv)
                              Encryption and decryption
                              (Addressable).
                              Implement a
                              mechanism to encrypt and
                              decrypt electronic protected
                              health information.

                              (e)(1)
                              Standard: Transmission
                              security.
                              Implement technical
                              security measures to guard
                              against unauthorized access to
                              electronic protected health
                              information that is being
                              transmitted over an electronic
                              communications network.
                              (ii)
                              Encryption
                              (Addressable).
                              Implement a mechanism to
                              encrypt electronic protected
                              health information whenever
                              deemed appropriate.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @wirestyle22
                                last edited by

                                @wirestyle22 said in o365 and HIPAA information between two different agencies:

                                @JaredBusch said in o365 and HIPAA information between two different agencies:

                                @Dashrender said in o365 and HIPAA information between two different agencies:

                                @JaredBusch said in o365 and HIPAA information between two different agencies:

                                @Dashrender said in o365 and HIPAA information between two different agencies:

                                @BRRABill said in o365 and HIPAA information between two different agencies:

                                @Mike-Davis said

                                If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?

                                Do you mean does just doing that (sending the file via O365) make it compliant?

                                Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.

                                No, that is not what was ever said.

                                I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.

                                But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.

                                Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say. 🙂

                                Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.

                                I mean--look, I'm for it. I'm for guaranteed transport encryption. Okay? But it's coming into our country to do tremendous harm. I've had so many people call me and say thank you. You see them talking and they say "Trump has a point."

                                damn.. I had to read that like 5 times, but I finally get the joke.
                                nice one.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender You just used the same logic for why we say that fax isn't okay... it's so easy to do something better that there's really no excuse for using something without in transit security 😉

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in o365 and HIPAA information between two different agencies:

                                    @Dashrender You just used the same logic for why we say that fax isn't okay... it's so easy to do something better that there's really no excuse for using something without in transit security 😉

                                    except I disagree with you that it's easier - and so do millions of others. That said, I agree that we SHOULDN'T be faxing, but it's not easier.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender
                                      last edited by

                                      turning on TLS on email is completely transparent to the end user, moving from faxing to emailing is hugely impactful to the end user.

                                      1 Reply Last reply Reply Quote 0
                                      • BRRABillB
                                        BRRABill
                                        last edited by

                                        Even though @scottalanmiller and I disagreed on this (I think, I forget at this point) FDE locally is also very easy. And it basically absolves you of a breach. Which is why it's implemented in a lot of healthcare systems.

                                        But as you know, that's 2 pieces of hundreds if not thousands. Nuts.

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in o365 and HIPAA information between two different agencies:

                                          @Dashrender said in o365 and HIPAA information between two different agencies:

                                          Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.

                                          Does that wording exist somewhere? What makes one party more responsible than the other?

                                          Not specifically that I am aware of, but how can you be responsible for how someone delivers something to you? I suppose given you fax thing, you could simply deny all access, but is that your job to ensure they are doing the right thing? You can't even tell if the message from them contains PHI until after they send it.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @BRRABill
                                            last edited by

                                            @BRRABill said in o365 and HIPAA information between two different agencies:

                                            Even though @scottalanmiller and I disagreed on this (I think, I forget at this point) FDE locally is also very easy. And it basically absolves you of a breach. Which is why it's implemented in a lot of healthcare systems.

                                            But as you know, that's 2 pieces of hundreds if not thousands. Nuts.

                                            FDE can be easy, but not cost effective. I have no idea how much FDE drives are these days, also what are the local system requirements to make them work? i.e. Does the BIOS have to support it?

                                            BRRABillB 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post