Ask the Expert

Protecting in-house e-mail containing PHI

I have been asked by the privacy group to come up with guidelines and/or a policy statement for dealing with patient health information (PHI) in e-mails. My understanding of the rule is that if the e-mails are confined within the hospital, encryption is not needed. Encryption is needed when it goes over the Internet or outside. Is this correct? Can you give me some guidelines for securing in-house e-mail containing PHI?

    Requires Free Membership to View

Internal e-mail should not have to be encrypted, as long as no risks to those e-mails are found during a risk assessment. Keep in mind that if e-mails will be traversing wireless networks (or any other similarly risky system) where vulnerabilities are turned up during a risk assessment, encryption may be required. Similarly, the final HIPAA Security Rule now considers external (Internet, etc.) e-mail encryption as "addressable" and leaves it up to the covered entity to determine whether or not specific risks (found during a risk assessment) would require those e-mails to be encrypted. Bottom line: If risks are found, encryption will be required.

For some specific sample policies/guidelines on e-mail security, check out the ones on the SANS site at

For more information on this topic, visit these other resources:
  • Best Web Links: Health Care/Health Services Security
  • Ask the Expert: Securing e-mail under HIPAA
  • Ask the Expert: Encrypting e-mail and what is considered confidential under HIPAA

    This was first published in March 2003

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: