FYI - it's HIPAA (not HIPPA) For email, see this: http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html
The easiest way to implement a secure email system is to contact a vendor (Symantec Cloud for example) who will setup a TLS tunnel between your Exchange server and their service. ALL incoming and outgoing email moves through this tunnel. Email is now encrypted between Exchange and the provider. Also, you setup Exchange so that it ONLY sends and ONLY receives email over this tunnel. This is only the 1st step. The next step would be to create RULES w/ the provider to specify what happens when certain conditions are met. For example... if Exchange users type "secure" in their subject line, then the provider will redirect the email to a secure portal (a website) and notify the recipient that they have a secure email waiting for them in the portal. It is now up to the recipient to create a password, log into the portal, and retrieve the secure message. What happens after that is not your problem. You've secured the message during transmission, and verified that only the intended recipient can retrieve the message. Now, some people don't like having to log into a portal (website) to retrieve secure email. And in some cases, businesses will establish DIRECT TLS tunnels between companies, so that the two companies basically have the equivalent of an Exchange-only VPN connection between the two. All Exchange (email) traffic that is destined for companyB from companyA is direct (TLS tunneled) and never leaves or is exposed to the public Internet. You can imagine the pros of this.... Users don't have to remember to type "secure" in their subject line (or whatever other rules), and recipients don't have to log into a portal to get their secure messages. Of course you have the added overhead of configuring/maintaining TLS tunnels to companyA, companyB, company, etc... and this only works if you send email to a users' corporate email address (not a home email address) Which is why most places will choose to use a portal and train users to use the appropriate rules (secure in the subject line, etc). HTH Good luck! From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 11:31 AM To: [email protected] Subject: [NTSysADM] RE: is email over SSL same as email encryption? After doing some more reading, it looks the sender and recipient needs to exchange keys for this to work. To the members here who have to be HIPPA compliant for email, do you mind sharing what you have in place? Do you use a 3rd party to handle this? How do you communicate with users outside your organization and also be compliant? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 8:19 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] is email over SSL same as email encryption? I ask this because I have a client who wants to be HIPPA complaint with patient communication. I don't know much about compliance with email except that the email needs to be encrypted. Currently, they use email hosted by bluehost via imap and over SSL. This just means the connection to bluehost is encrypted, but by the time it hits the patient's inbox, it is no longer encrypted correct? TIA, Jimmy .
