Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Password-Protected Word Documents and HIPAA
- Thread starter ctmmom
- Start date
There's a lot of info here on the strengths and weaknesses of Office's password protection:
If such protection is all you have to use within an organization(and this is often the case), then at least be sure employ standards such as those found here:
Tired of waiting for an answer? Try asking better questions. See: faq222-2244
If such protection is all you have to use within an organization(and this is often the case), then at least be sure employ standards such as those found here:
Tired of waiting for an answer? Try asking better questions. See: faq222-2244
You might also find some useful reading amongst the whitepapers found here:
Tired of waiting for an answer? Try asking better questions. See: faq222-2244
Tired of waiting for an answer? Try asking better questions. See: faq222-2244
And...here's one (of many) types of encryption that you can employ that you might find more robust than a Word password:
Tired of waiting for an answer? Try asking better questions. See: faq222-2244
Tired of waiting for an answer? Try asking better questions. See: faq222-2244
needcoffee
MIS
You must first ask how is the document being accessed or shared.
What is your purpose for password proctecting the document? Could local permission settings on a workstation or directory permissions on a fileshare protect the document from unauthorized access?
If you are planning on sending the document outside of your network it must be encrypted, HIPAA is very clear on this. Basic password protection provided by Work will not suffice. ePHI is classified in this respect as in motion must have a minimum encryption of 128-bit but it does not specify a method type or how to exchange encryption keys with the other party. If the receiver is not a "Covered Entity" you must have a Business Associate Agreement in place with them and you must provide them with your HIPAA policies and procedures for handling PHI. If the receiver is not a "Covered Entity" you must receive permission from the patient to disclose PHI to a business associate.
Hope this helps.
![[morning]](/data/assets/smilies/morning.gif "[morning] [morning]")
needcoffee
What is your purpose for password proctecting the document? Could local permission settings on a workstation or directory permissions on a fileshare protect the document from unauthorized access?
If you are planning on sending the document outside of your network it must be encrypted, HIPAA is very clear on this. Basic password protection provided by Work will not suffice. ePHI is classified in this respect as in motion must have a minimum encryption of 128-bit but it does not specify a method type or how to exchange encryption keys with the other party. If the receiver is not a "Covered Entity" you must have a Business Associate Agreement in place with them and you must provide them with your HIPAA policies and procedures for handling PHI. If the receiver is not a "Covered Entity" you must receive permission from the patient to disclose PHI to a business associate.
Hope this helps.
needcoffeeother than the encrypt rule for transmitting PI you should be most concerned with access to the files/system; how people access them, who has access to them, and make sure your written policies are in place.
the other part of securing for HIPPA is training your personnel to observe the security policies, always
the other part of securing for HIPPA is training your personnel to observe the security policies, always
- Status
Similar threads
- Locked
- Solved
- Locked
- Question