[VOIPSEC] Secure Real-time Transport Protocol (SRTP)
Zmolek, Andrew (Andy)
zmolek at avaya.com
Fri Mar 25 18:54:12 CST 2005
This is correct and the HIPAA exclusion for public courriers you mention could be extrapolated to the use of public voice services (VoIP carriers included). It would be a stretch to say the exception applies to private systems, however in most cases VoIP calls aren't recorded so there's no "electronic record" produced (hence nothing there to regulate)
In general HIPAA consultants don't bother to look at voice communications systems and HHS who drafts the regulations doesn't give useful guidance there. What I typically see as an eqiupment vendor are customers who would like the vendor to make them fully compliant, which is only possible in a fully outsourced model because HIPAA is more of an operational standard, like ISO 9001. Given the overall lack of enforcement by OCR the game for most "covered entities" under HIPAA is to avoid being the first target and it's hard to imagine anyone getting in trouble over a VoIP system given current conditions.
-----Original Message-----
From: Sean Donelan [mailto:sean at donelan.com]
Sent: Fri Mar 25 18:07:04 2005
To: Zmolek, Andrew (Andy)
Cc: Voipsec at Voipsa. Org
Subject: RE: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
On Fri, 25 Mar 2005, Zmolek, Andrew (Andy) wrote:
> Neither GLBA nor HIPAA specifically call out communications
> infrastructure. However, since there is no specific exclusion for it,
> the issue cannot simply be dismissed.
Actually there are exclusions for communications infrastructure like the
US Postal Service. Just because you mail a letter containing potentially
covered information doesn't mean the USPS must do anything different for
first class mail containing GLBA/HIPAA information versus any other
first class mail.
The process of preparing the letter, mailing the letter, receiving the
letter and opening the letter is probably included. Printing medical
information on post cards is probably a bad idea. But the communications
infrastructure that carries the letter from point A to point B in
its "secure" envelope probably isn't included. Of course the
consultants will probably want to include as many billible hours
as possible.
More information about the Voipsec
mailing list