| ▲ | the_bear 3 hours ago | |||||||
I'm not a lawyer, but I'm currently working on getting my company HIPAA-compliant, so I know more than the average person about this. My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant. This seems crazy to me, but that's how it works I think. For example, if you encrypt PHI and store it in AWS without signing a BAA with them, that's a HIPAA violation, even though the data is encrypted and Amazon can't see it. But if you send encrypted data through AWS without actually storing it, that's fine. Mail is specifically mentioned as a thing that qualifies for the conduit exception. I'm not totally clear why it isn't a HIPAA violation the moment it arrives at a destination (it's not in-transit at that point, and it's potentially not in the possession of the intended recipient either), but it seems pretty well accepted that it's not. All that to say: I think encrypted email would still require a BAA because it's being stored, not just transmitted. | ||||||||
| ▲ | Telaneo 2 hours ago | parent | next [-] | |||||||
> My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant. Sounds like they needed fax to be compliant, and came up with some moon logic to make that happen. | ||||||||
| ▲ | cogman10 3 hours ago | parent | prev [-] | |||||||
Honestly, I think it's just because it's a crime to open someone else's mail. For whatever reason that sort of policy isn't extended to encrypted data in the cloud. It was a law written in the 90s, it should be updated and modernized. | ||||||||
| ||||||||