o365 and HIPAA information between two different agencies
-
@coliver said in o365 and HIPAA information between two different agencies:
Yes, O365 uses opportunistic TLS so the email will be end-to-end encrypted. If you want to ensure it is encrypted in transit you can set up a mail flow rule to only accept TLS signed messages from that domain.
As @coliver stated, it is opportunistic TLS. Now because you are sending from one Exchange Online service to another, it should always TLS encrypt the transaction.
But if you want to be 100% certain, you have to add a rule as mentioned to require TLS to/from that domain.
-
@coliver said in o365 and HIPAA information between two different agencies:
Yes, O365 uses opportunistic TLS so the email will be end-to-end encrypted. If you want to ensure it is encrypted in transit you can set up a mail flow rule to only accept TLS signed messages from that domain.
What is a TLS signed message?
-
@Dashrender said in o365 and HIPAA information between two different agencies:
@coliver said in o365 and HIPAA information between two different agencies:
Yes, O365 uses opportunistic TLS so the email will be end-to-end encrypted. If you want to ensure it is encrypted in transit you can set up a mail flow rule to only accept TLS signed messages from that domain.
What is a TLS signed message?
Thanks, I fixed it. I was working on something else and got my jargon mixed up.
-
I was serious, didn't know if there was something I was missing.
As for HIPAA compliance, we are soon going to be turning on the ability to only send if the receiver accepts TLS, otherwise can't send to you.
Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.
-
@Mike-Davis said
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
Do you mean does just doing that (sending the file via O365) make it compliant?
-
@BRRABill said in o365 and HIPAA information between two different agencies:
@Mike-Davis said
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
Do you mean does just doing that (sending the file via O365) make it compliant?
Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.
-
@Dashrender said in o365 and HIPAA information between two different agencies:
@BRRABill said in o365 and HIPAA information between two different agencies:
@Mike-Davis said
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
Do you mean does just doing that (sending the file via O365) make it compliant?
Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.
No, that is not what was ever said.
I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.
But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.
-
@JaredBusch said in o365 and HIPAA information between two different agencies:
@Dashrender said in o365 and HIPAA information between two different agencies:
@BRRABill said in o365 and HIPAA information between two different agencies:
@Mike-Davis said
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
Do you mean does just doing that (sending the file via O365) make it compliant?
Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.
No, that is not what was ever said.
I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.
But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.
Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say.
-
@Dashrender said in o365 and HIPAA information between two different agencies:
@JaredBusch said in o365 and HIPAA information between two different agencies:
@Dashrender said in o365 and HIPAA information between two different agencies:
@BRRABill said in o365 and HIPAA information between two different agencies:
@Mike-Davis said
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
Do you mean does just doing that (sending the file via O365) make it compliant?
Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.
No, that is not what was ever said.
I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.
But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.
Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say.
Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.
-
@JaredBusch said in o365 and HIPAA information between two different agencies:
@Dashrender said in o365 and HIPAA information between two different agencies:
@JaredBusch said in o365 and HIPAA information between two different agencies:
@Dashrender said in o365 and HIPAA information between two different agencies:
@BRRABill said in o365 and HIPAA information between two different agencies:
@Mike-Davis said
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
Do you mean does just doing that (sending the file via O365) make it compliant?
Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.
No, that is not what was ever said.
I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.
But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.
Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say.
Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.
LOl it wasn't vague in the least - easy to misinterpret, sure, worded in such a way that someone could draw any conclusion they wanted, but definitely not wrong.
-
What I meant to say was that there are like 5,000 things that go into HIPAA compliance. Which is why O365 would never say they are "HIPAA Compliant", but rather could be used as part of a company being compliant.
For example if they are using Outlook and the file is then stored in a cache on a local machine, they are no longer compliant. Well, they could be, if it was also encrypted locally, inventoried, audited, etc., etc., etc..
I just wanted to be sure the OP knew there was a lot more than just the transport to worry about.
-
Thank you for all the responses. I understood what was meant.
-
@BRRABill said in o365 and HIPAA information between two different agencies:
What I meant to say was that there are like 5,000 things that go into HIPAA compliance. Which is why O365 would never say they are "HIPAA Compliant", but rather could be used as part of a company being compliant.
For example if they are using Outlook and the file is then stored in a cache on a local machine, they are no longer compliant. Well, they could be, if it was also encrypted locally, inventoried, audited, etc., etc., etc..
I just wanted to be sure the OP knew there was a lot more than just the transport to worry about.
Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.
-
@Dashrender said
Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.
Well, if you are going with that, neither does data in transmission.
But you better have a great reason for not doing it and a lot of documentation!
-
@BRRABill said in o365 and HIPAA information between two different agencies:
@Dashrender said
Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.
Well, if you are going with that, neither does data in transmission.
But you better have a great reason for not doing it and a lot of documentation!
heads to the internet to find the specific about data crossing a public network
-
@JaredBusch said in o365 and HIPAA information between two different agencies:
@Dashrender said in o365 and HIPAA information between two different agencies:
@JaredBusch said in o365 and HIPAA information between two different agencies:
@Dashrender said in o365 and HIPAA information between two different agencies:
@BRRABill said in o365 and HIPAA information between two different agencies:
@Mike-Davis said
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
Do you mean does just doing that (sending the file via O365) make it compliant?
Assuming there was a guarantee of transport encryption - previous discussions here on ML would say - yes it does.
No, that is not what was ever said.
I have never seen anyone say that just using Exchange Online provides HIPAA compliance. I have seen it said by others and myself, that it gives you automatic opportunistic TLS and thus in most cases, your email is already encrypted.
But compliance requires knowledge that encryption was used. That means you have to force TLS to be used on outbound mail that carries PHI covered by HIPAA.
Did you even read what I wrote! Assuming a guarantee of transport encryption - which you can't do without turning off opportunistic TLS and making it mandatory. So that covers anything else you have to say.
Yes, I read exactly what you wrote. And by using such vague language I thought I was listening to a Trump speech.
I mean--look, I'm for it. I'm for guaranteed transport encryption. Okay? But it's coming into our country to do tremendous harm. I've had so many people call me and say thank you. You see them talking and they say "Trump has a point."
-
@Mike-Davis said in o365 and HIPAA information between two different agencies:
If two different agencies are using Office 365 can they send client information back an fourth? Office 365 says that it's HIPAA compliant, so if the information stays in their cloud, is it covered?
That's correct. Pure O365 transmissions meet the HIPAA requirements.
-
@Dashrender said in o365 and HIPAA information between two different agencies:
Incoming doesn't matter so it will remain opportunistic, as it's the senders responsibility to ensure encryption exists, not the receiver.
Does that wording exist somewhere? What makes one party more responsible than the other?
-
@BRRABill said in o365 and HIPAA information between two different agencies:
@Dashrender said
Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.
Well, if you are going with that, neither does data in transmission.
But you better have a great reason for not doing it and a lot of documentation!
That correct, that fax is allowed, for example, or phone calls demonstrates that data encryption is never a requirement. It's just that IT staff take security so much more seriously by default.
-
@BRRABill said in o365 and HIPAA information between two different agencies:
@Dashrender said
Actually, at rest encryption is not a requirement. It's highly pushed, but not a requirement.
Well, if you are going with that, neither does data in transmission.
But you better have a great reason for not doing it and a lot of documentation!
These two parts seem to have the most to do with encryption over a network. It seems I misunderstood, it it addressable. So, you're right, not required - but so easy and cheap to implement, you better have a damned good reason not to. Assuming the at rest encryption is the same, that's pretty easy to fight because at rest encryption is often expensive, if not in actual dollars, in management, so that would be a reason to not do it on the end user devices. that said, I think where possible doing it on mobile devices is prudent.
164.312(a)(2)(iv)
(iv)
Encryption and decryption
(Addressable).
Implement a
mechanism to encrypt and
decrypt electronic protected
health information.(e)(1)
Standard: Transmission
security.
Implement technical
security measures to guard
against unauthorized access to
electronic protected health
information that is being
transmitted over an electronic
communications network.
(ii)
Encryption
(Addressable).
Implement a mechanism to
encrypt electronic protected
health information whenever
deemed appropriate.
