Educause Security Discussion mailing list archives

Re: HIPAA question

From: David Grisham <Dgrisham () SALUD UNM EDU>
Date: Fri, 15 Apr 2011 09:22:19 -0600

If I may answer this question and the previous question about e-mail simultaneously in regard to PII e-mail use and 
reminders under HIPAA.
#1. We use an encrypted mail client within our trusted network. Any confidential information including ePHI that is to 
be sent outside of the trusted network must be secured either by IronPort Department Rule or manually with Cisco 
IronPort's E-Mail Security Appliance. Further, we require individuals to send only the minimal amount of information 
necessary, ensure that it is addressed to an authorized recipient and not  forwarded out of our trusted network.
#2. We require hospital and health science center staff to take an annual CBT on HIPAA privacy and Cyber security. The 
CBT is accompanied by not only electronic reminders in our weekly and/or monthly publications from public affairs but 
the privacy officer and IT security management & staff give lectures/talks to classes, go to department staff meetings 
and enterprise management meetings on acceptable use issues of HIPAA that have recently ranged from encryption to new 
policies.
Cheers.-grish
David Grisham, Ph.D, CISM
Manager, IT Security, UNM Hospitals

Jon Hanny <jehanny () GWU EDU> 4/15/2011 6:00 AM >>>

Do you send out any memos or periodic reminders on acceptable use of
email as it relates to HIPAA?

Respectfully,

---------------------------------
Jon Hanny
CISM, CISSP, CRISC, GSLC
Risk and Compliance Services
Division of IT
The George Washington University
703-726-4469
jehanny () gwu edu 
---------------------------------

On 4/14/2011 5:10 PM, Taylor, James R wrote:

We use the Voltage encryption gateway as well as their Outlook plug-in for
end-to-end encryption.

_______________________
Jim Taylor
Information Security Officer (ISO)
Missouri State University
417-836-5226

Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon Hanny
Sent: Thursday, April 14, 2011 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: [SECURITY] HIPAA question

I was wondering if/how any of you have addressed HIPAA with relation to
email usage. Please advise.

Current thread:

HIPAA question Jon Hanny (Apr 14)
- Re: HIPAA question Terence Ma (Apr 14)
- Re: HIPAA question Taylor, James R (Apr 14)
  - Re: HIPAA question Jon Hanny (Apr 15)
    - Re: HIPAA question David Grisham (Apr 15)
    - Re: HIPAA question Bill Terry (Apr 15)
- Re: HIPAA question Maria Peluso (Apr 15)