Problem solve Get help with specific problems with your technologies, process and projects.

Protecting in-house e-mail containing PHI

I have been asked by the privacy group to come up with guidelines and/or a policy statement for dealing with patient...

health information (PHI) in e-mails. My understanding of the rule is that if the e-mails are confined within the hospital, encryption is not needed. Encryption is needed when it goes over the Internet or outside. Is this correct? Can you give me some guidelines for securing in-house e-mail containing PHI?

Internal e-mail should not have to be encrypted, as long as no risks to those e-mails are found during a risk assessment. Keep in mind that if e-mails will be traversing wireless networks (or any other similarly risky system) where vulnerabilities are turned up during a risk assessment, encryption may be required. Similarly, the final HIPAA Security Rule now considers external (Internet, etc.) e-mail encryption as "addressable" and leaves it up to the covered entity to determine whether or not specific risks (found during a risk assessment) would require those e-mails to be encrypted. Bottom line: If risks are found, encryption will be required.

For some specific sample policies/guidelines on e-mail security, check out the ones on the SANS site at https://www.sans.org/resources/policies.

For more information on this topic, visit these other SearchSecurity.com resources:
  • Best Web Links: Health Care/Health Services Security
  • Ask the Expert: Securing e-mail under HIPAA
  • Ask the Expert: Encrypting e-mail and what is considered confidential under HIPAA

  • This was last published in March 2003

    Dig Deeper on Email and Messaging Threats-Information Security Threats

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.