Are your e-mail policies HIPAA-proof?

The University of Medicine and Dentistry of New Jersey has established a policy that offers a good example of the way in which e-mail that contains protected health information (PHI) must be managed in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The university enforces its policy through the use of ZixCorp’s encrypted messaging capability and contains the following basic provisions:

* All outgoing e-mail is scanned using two lexicons, one that looks for the names of particular diseases or health conditions and the other that looks for sensitive content like Social Security numbers.

* An e-mail will be sent unencrypted if, in the body of the message, a disease/condition or Social Security number is included; if both are present, the message will be encrypted automatically.

* If PHI is found in the subject line of a message, it will automatically be rejected. The sender will be given the option of modifying the subject line and resending the message.

The university’s policy is a good example of one that all organizations should follow, at least in principle, regardless of their size or the industry in which they participate. For example, let’s say one of your company’s managers sends an e-mail to your external benefits administrator that reads something like the following:

“Is Bob Smith’s prescription for Lipitor because of his high cholesterol covered under our company’s benefits plan?  His Social Security number is 123-45-6789.”

That message would violate the provisions of HIPAA and could result in a significant fine for your company, something you probably don’t need. As a result, it makes to be aware of the requirements of HIPAA and implement the appropriate systems or services that will protect your organization from violations.