Discussions

Internet Mail and HIPAA compliance

+
0 Votes
Locked

Internet Mail and HIPAA compliance

uberg33k50
I am trying to find opinions on whether the rules regarding email in the HIPAA regulations (sections 164.306(a)(1), (a)(2) and (a)(4)) indicate that an organization should restrict access to Internet mail by employees.

On the surface it appears to me that permitting access to Internet email would be a viloation because the organization has no way to track and ensure compliance. e.g, what is to stop an employee from transmitting PHI in a Hotmail account and if they did how could you know?

My thought is to block access to those accounts. Does anyone have an opinion as to whether that is reasonable or not?
  • +
    0 Votes
    NickNielsen Moderator

    ...the organization has no way to track and ensure compliance.

    Sounds eminently reasonable to me. My current client stictly controls Internet access and completely blocks internet mail for exactly that reason.

    +
    0 Votes
    Tig2

    By HIPPA best practise should be blocked. There has even been discussion around whether ALL employees in an organisation need to have an email account.

    Believe me, you will get a lot of flack for this move. Be ready with some new security training.

    Another move that works well in conjunction is to disable USB Flash drives and synchronisation with any non issued devices- Blackberries, PDAs, etc as this is another way that your PHI information is capable of making it out of the organisation and into the wild. And of course, no document storage on the C: drive.

    +
    0 Votes
    uberg33k50

    Thanks for the replies. I hve a meeting tomorrow morning with the President of the company. She wants to know why we think this is necessary. She is against it because she thinks it is aimed more at controling the staff than security.

  • +
    0 Votes
    NickNielsen Moderator

    ...the organization has no way to track and ensure compliance.

    Sounds eminently reasonable to me. My current client stictly controls Internet access and completely blocks internet mail for exactly that reason.

    +
    0 Votes
    Tig2

    By HIPPA best practise should be blocked. There has even been discussion around whether ALL employees in an organisation need to have an email account.

    Believe me, you will get a lot of flack for this move. Be ready with some new security training.

    Another move that works well in conjunction is to disable USB Flash drives and synchronisation with any non issued devices- Blackberries, PDAs, etc as this is another way that your PHI information is capable of making it out of the organisation and into the wild. And of course, no document storage on the C: drive.

    +
    0 Votes
    uberg33k50

    Thanks for the replies. I hve a meeting tomorrow morning with the President of the company. She wants to know why we think this is necessary. She is against it because she thinks it is aimed more at controling the staff than security.