For a sample template for the HIPAA BUSINESS ASSOCIATE CONTRACT, see: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

 

 

 

Bruce, you completely missed the point.

As for hippa our responsibility per the law is to secure and protect the data as a provider. The point of this request of SM here is the clear text visibility of the data, the lack thereof to encrypt the data and their road map. Bluntly, when everyone else is either on the way or is already encrypting  public data (i.e. your and my customers hosted data) we have no visibility from SM when those expectations can be met.

In house we do something similar on .net products that we deliver as outsourced gigs becasue they usually have some kind of sensitive data. We give the system admin a place to enter a complex password that is stored in encrypted form and used as it as a master key. Encrytion and decryption occurs on the fly on the static data. There is an option for them to provide us a decrpt key as a back door (most choose not to do so). No key = we cant see the data. (If the law comes knocking we give them encrytped data)

My guess is that I nor other SM hosters have any desire to have a "Business Associate Contracts" with some outfit in the middle of Bulgaria or some corner of Burma that pays us $5.00/month.

Okay enough said. SM, the response is in your hands as to your roadmap.

 

Your customer is mandated, by Federal law, to give you a Business Associate Contract.  As guardian for their e-mail, you are mandated to comply with the same rules and regulations they must comply with and you must also ensure that whatever passes through your servers, whether IIS, FTP, or E-Mail, is in compliance. 

 

If you want to provide the product to HIPAA covered entities, then you must be in compliance, and part of that requires that you are covered by a Business Associate Contract.

 

I provided the links for your review.  If you don't comply, and your customer is audited, you will be too.

Bruce you are still missing the point. This request is about encrypting customer mailbox data on a SM mail server, HIPPA and stuff is a seconday matter. Look beyond the trees to see the forest :)

 

I understand what you want to do, and I think it can be done, but I have never tried it.  Yes, to truly be HIPPA complaint all data on the server would have to be encrypted.

 

Keep in mind that encryption and decryption would result in a LOT of CPU usage.

 

You would do the following on the Domains folder:

 

Various versions of Windows might have a slightly different procedure to accomplish the same task.

 

Good luck, and again I want to say I have never actually tried this.  If you try it and it works please let me know.

 

Thanks,

-Joe

Any ever talk about add OpenPGP to Smartermail as an optional addon?

All well and good, up to a point. You should, however, be able to protect the files and folders where SM data is stored, using Windows security, without encrypting those files/folders. I have had entire SM email servers blocked for file access for anyone but admins for years. If your SM server is running on a file server with shared (document, etc.) folders, you can still do this quite easily.

 

Setting up your SM server datastore so that only admins have rights to those files/folders does NOT prevent the flow of email to and from the datastore, because that happens over different mechanisms than file/folder access rights.

 

 

Regarding HIPAA security, employers generally, by law, have full rights to peruse the BUSINESS emailboxes of employees, when they provide company email. How HIPAA laws affect these rules, I have no idea. Would not mind being enlightened on that point.