On several occasions, we have been asked if it’s safe to send personally identifiable information (PHI) or sensitive data via regular email to other internal users of a network. In other words, if you are sending PHI or sensitive information to a co-worker, is it OK to just send it in a regular email?
Answer: No. Never.
The reason is that email providers, such as Intermedia and O365, are outside of your network. When you send someone an email (even if it’s someone within your company), that email travels from you to the email provider and then on to the intended recipient of the email. Hackers can intercept unencrypted emails at any point along that path. That’s why it’s critical to only send PHI, confidential information or sensitive financial reports and data, etc., using email encryption.
How to Tell What Information Should be Sent Securely
Not everything needs to be sent via encrypted email. Think about how sensitive a message is and whether it needs to be protected against prying eyes or inadvertent forwards. Ask yourself the following questions:
- Does the email contain something of value – a password, a bank account number, sensitive company information, including confidential items such as client names, work products, etc?
- Are you communicating something sensitive or business confidential?
- Is this message sensitive enough to add an expiration date?
- Would you ever want to take back the email?
- Are you discussing something that is potentially embarrassing to you or others?
- Does the email relate to a situation that is rapidly changing or evolving?
If the answer is yes to any of these questions, you will want to use encryption.
Guidelines to Follow When Sending PHI or Sensitive Information
- Limit the information you include in an email to the minimum necessary information.
- Whenever possible, avoid transmitting highly sensitive PHI (for example, mental health, substance abuse, or HIV information) by email.
- Never use global automatic forwarding to send emails from your email account to another account.
- Never send PHI by email unless you have verified the recipient’s address (for example, from a directory or a previous email) and you have checked and double-checked that you have entered the address correctly.
- Always include a privacy statement notifying the recipient of the insecurity of email and providing a contact to whom a recipient can report a misdirected message.
- Do not allow forwarding of a secure email.
The 15 Secure Email Identifiers that You Need to Know
In general, if you are sending an email that contains ANY of the following information then you should send it securely:
- Names (if within a given context)
- Social Security numbers
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code
- Payroll Information
- Copies of insurance details/renewals
- Banking information – ACH, account numbers, routing numbers, etc.
For information about our secure email solution, clients can contact their client account manager. If you are interested in learning more about our managed and cloud solutions contact us today!