Case Two : Protecting Health Care Privacy The U.S. Health Insurance Portability and Accountability Act (HIPAA) addresses (among other things) the privacy of health information. Title 2 of the act regulates the use and disclosure of protected health information (PHI), such as billing services, by healthcare providers, insurance carriers, employers, and business associates. Email is often the best way for a hospital to communicate with off-site specialists and insurance carriers about a patient. Unfortunately, standard email is insecure. It allows eavesdropping, later retrieval of messages from unprotected backups, message modification before it is received, potential invasion of the senders privacy by providing access to information about the identity and location of the sending computer, and more. Since healthcare provider email often includes PHI, healthcare facilities must be sure their email systems meet HIPAA privacy and security requirements. Childrens National Medical Center (CNMC) of Washington, D.C., The Nations Childrens Hospital, is especially aware of privacy concerns because its patients are children. CNMC did what many organizations do when faced with a specialized problem: rather than try to become specialists or hire specialists for whom the hospital has no long-term full-time need, it turned to a specialist firm. CNMC chose Proof point of Sunnyvale, California, for its security as a service (SaaS) email privacy protection service. Matt Johnston, senior security analyst at CNMC, says that children are the highest target for identity theft. A small kids record is worth its weight in gold on the black market. Its not the doctors job to protect that information. Its my job. Johnston explains that he likes several things about the Proof point service: I dont have to worry about backups. Proof point handles those. I dont have to worry about if a server goes down. [If it was a CNMC server, I would have to] get my staff ramped up and bring up another server. Proof point does that for us. Its one less headache. We had a product in-house before. It required several servers which took a full FTE [full-time employee] just to manage this product. It took out too much time. Spam has been on the rise. Since Proof point came in, weve seen a dramatic decrease in spam. It takes care of itself. The end user is given a digest daily. Email can be encrypted or not, according to rules that the end user need not be personally concerned with. Their tech support has been great. Proof point is not the only company that provides healthcare providers with email security services. LuxSci of Cambridge, Massachusetts, also offers HIPAA-compliant email hosting services, as do several other firms. They all provide the same basic features: user authentication, transmission security (encryption), logging, and audit. Software that runs on the providers computers can also deliver media control and backup. Software that runs on a user organizations server necessarily relies on that organization to manage storage; for example, deleting messages from the server after four weeks as HIPAA requires. As people become more aware of the privacy risks associated with standard email, the use of more secure solutions such as these will undoubtedly become more common in the future. Critical Thinking Questions: What requirement does HIPAA institute to safeguard patient privacy? Universities use email to communicate private information. For example, an instructor might send you an email explaining what you must do to raise your grade. The regulations about protecting that information under the Family Educational Rights and Privacy Act (FERPA) are not as strict as those under HIPAA. Do you think they should be strict as HIPAAs requirements? Why or why not? How does Proof point safeguard patient privacy? Could Proof point do the same for university and corporate emails? Why or why not? Submit the assignment to Dropbox.