Shauna Baughcum, MSHA, CHC, CHPC, CPC
Assistant Director, Corporate Compliance, UMC Health System
The HIPAA Security Rule states you need to encrypt transmitted data that is sent over an open network. An open network means the wild world of the Internet. If you are sending Protected Health Information (PHI) or any sensitive data within a closed network, such as to coworkers, the PHI does not need to be encrypted as long as you have assurances the PHI is not being sent over an open network. For example, if you send an email containing PHI through umchealthsystem.com, you don’t need to encrypt the email. On the other hand, if you send that same email through a method that is transmitted OUTSIDE,
such as free version of Gmail, it must be encrypted even if it is being sent to someone else who is part of your organization. Before sending any emails to individuals or in a group double-check to make sure all the emails addresses are within the network. If there is just one outside the umchealthsystem.com, you need to encrypt. All you need to do to encrypt is type SECURE in the subject line of the email.