Q

Protecting in-house e-mail containing PHI

I have been asked by the privacy group to come up with guidelines and/or a policy statement for dealing with patient health information (PHI) in e-mails. My understanding of the rule is that if the e-mails are confined within the hospital, encryption is not needed. Encryption is needed when it goes over the Internet or outside. Is this correct? Can you give me some guidelines for securing in-house e-mail containing PHI?

Internal e-mail should not have to be encrypted, as long as no risks to those e-mails are found during a risk assessment. Keep in mind that if e-mails will be traversing wireless networks (or any other similarly risky system) where vulnerabilities are turned up during a risk assessment, encryption may be required. Similarly, the final HIPAA Security Rule now considers external (Internet, etc.) e-mail encryption as "addressable" and leaves it up to the covered entity to determine whether or not specific risks (found during a risk assessment) would require those e-mails to be encrypted. Bottom line: If risks are found, encryption will be required.

For some specific sample policies/guidelines on e-mail security, check out the ones on the SANS site at http://www.sans.org/resources/policies.


For more information on this topic, visit these other SearchSecurity.com resources:
  • Best Web Links: Health Care/Health Services Security
  • Ask the Expert: Securing e-mail under HIPAA
  • Ask the Expert: Encrypting e-mail and what is considered confidential under HIPAA

  • This was first published in March 2003

    Dig deeper on Email Security Guidelines, Encryption and Appliances

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close