Email encryption

Q. Are we required to use encryption on all email, or only email that contains PHI?

A. You are not required to use encryption if the email does not contain PHI. It is sound practice, though, to encrypt email if it contains other confidential information like internal financial information, practitioner disciplinary information, information related to a lawsuit, and so forth.  There is always the risk of interception. Confidential information in the wrong hands can get rather expensive for the organization.

Editor's note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.