I have been asked by the privacy group to come up with guidelines and/or a policy statement for dealing with patient health information (PHI) in e-mails. My understanding of the rule is that if the e-mails are confined within the hospital, encryption is not needed. Encryption is needed when it goes over the Internet or outside. Is this correct? Can you give me some guidelines for securing in-house e-mail containing PHI?
Internal e-mail should not have to be encrypted, as long as no risks to those e-mails are found during a risk assessment. Keep in mind that if e-mails will be traversing wireless networks (or any other similarly risky system) where vulnerabilities are turned up during a risk assessment, encryption may be required. Similarly, the final HIPAA Security Rule now considers external (Internet, etc.) e-mail encryption as "addressable" and leaves it up to the covered entity to determine whether or not specific risks (found during a risk assessment) would require those e-mails to be encrypted. Bottom line: If risks are found, encryption will be required.
For some specific sample policies/guidelines on e-mail security, check out the ones on the SANS site at http://www.sans.org/resources/policies.
For more information on this topic, visit these other SearchSecurity.com resources:
Dig deeper on Email Security Guidelines, Encryption and Appliances
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.