business associate agreement

Michael McConville mmcconville at
Mon Jun 1 17:29:12 EDT 2015

It's also worth noting, though, that OTR will disable logging and will
delete messages along with their encryption key when the conversation
ends. So, if nothing records the messages on either machine *during the
conversation*, they cannot be retrieved. I'm assuming you already know
this, Luke, but I think it's worth mentioning to Catherine.

We should also probably clarify that someone on the server or network
shouldn't be able to "intercept, mutate, and record" messages if the
Pidgin clients' fingerprints are verified. There are some unavoidable
possibilities, like the server dropping messages. Generally, though,
everything going between the two clients is securely unreadable and
unalterable, and no one can inject false messages.

I also agree that it's important to make sure that the systems used are

Let me know if I missed anything, or if I'm misunderstanding anything.

On Mon, Jun 01, 2015 at 05:02:54PM -0400, Luke Schierer wrote:
> EVERYTHING that you do on a computer is submitted through your
> operating system. If you type protected information on the keyboard,
> the OS is responsible for transmitting that information to the
> application.  If you save protected information to disk, the OS plays
> a part in moving that information from memory to storage.  So on and
> so forth.  
> When I am responsible for implementing protection of information, the
> considerations MUST include the operating system. 
> But the base question is I suppose adequately answered.  You are
> planning on transmitting PII data using Pidgin, and you feel that
> raises it to the level of needing an agreement.
> So we'll put aside the Operating systems for a moment, and focus in on
> the transmission of that data.
> You type it into Pidgin sure, but using which service? * have you
> deployed a Jabber server within your office? If so, do you have an
> agreement with your jabber server software provider? * Are you using
> AIM? Do you have an agreement with AOL?  Their servers would be able
> to record the messages sent. * Are you using MSN? Then we come back to
> an agreement with Microsoft. * Yahoo?  so on.
> OTR will help you with this by (essentially) creating an encrypted
> tunnel between the two Pidgin IM clients, but given that the service
> servers can intercept, mutate, and record your messages, I would want
> to have some assurance that you have your bases covered.  
> Luke
> On Mon, Jun 01, 2015 at 03:35:42PM -0500, Catherine Galle wrote:
> > Luke,
> > 
> > Yes we are required to have a 'BAA' with our appointment scheduling
> > software. We do not have to have an agreement with Windows as nothing that
> > is considered electronic protected health information is submitted to or
> > through them.
> > 
> > Sincerely,
> > Catherine
> > 
> > On Mon, Jun 1, 2015 at 1:58 PM, Luke Schierer <lschiere at> wrote:
> > 
> > _______________________________________________
> > Support at mailing list
> > Want to unsubscribe?  Use this link:
> >
> _______________________________________________
> Support at mailing list
> Want to unsubscribe?  Use this link:

More information about the Support mailing list