Health Information Management

Q&A: Sending unencrypted e-mail within a network

HIM-HIPAA Insider, November 2, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. Would a covered entity or business associate violate the HIPAA Security Rule if it sends PHI in unencrypted e-mails to an e-mail address within the same domain using a Microsoft Exchange™ server behind the organization’s firewall?

A. No. PHI can be sent unencrypted within what is called a closed network. A network that is internal to the organization and protected by a firewall is considered a closed network. If the firewall is breached and unencrypted PHI is accessed, that would be considered a breach of unsecure PHI and breach notification requirements would apply.
 
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which originally appeared in the November issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular