Because email is one of the most common ways data is transmitted, it is also one of the easiest ways for sensitive data, like patient data and other confidential records, to be leaked. These leaks put you in danger of major fines from HIPAA violations.
HIPAA regulation 164.312 (e) (1) states:
Standard Transmission Security. Implement technical security measures to guard against unauthorized access to electronic-protected health information that is being transmitted over an electronic communications network.
Although this particular requirement seems really simple, there are many different ways in which it could be (and has been) interpreted. On the surface the requirement seems to point to the need to use mechanisms such as encryption and authorization any time that patient health data is being transmitted from one person to another.
Another way of looking at this requirement however, is that the regulation requires you to take measures to prevent patient health data from being transmitted in an unsecure manner or to an unauthorized recipient. In other words, it is prudent for a covered entity to take steps to make sure that patient health data is not sent by email (unless a long list of very specific requirements are met).
One way of helping to make sure that patient health data is not sent by email is to take advantage of the Microsoft Exchange Server 2013 Data Loss Prevention feature. This feature is designed to look at outbound email to see if it contains any sensitive data that should not be emailed.
The Data Loss Prevention feature is based around the use of Data Loss Prevention policies (which can be created through the Exchange Administrative Center). These policies are really nothing more than just a collection of transport rules. Although transport rules have existed since the days of Exchange Server 2007, Microsoft has enhanced the available transport rules so that they are better equipped to handle the task of data loss prevention.
First generation transport rules were designed primarily to perform light weight compliance tasks, such as appending a disclaimer to the end of outbound email messages. Exchange Server 2013 is still able to perform these types of tasks, but the transport rules engine is far more dynamic than previous editions. For example, it is now possible to count the number of times that a particular item occurs within an email message and then take action only if a certain threshold is crossed.
Exchange Server 2013's new detection capabilities are nice, but by themselves they do very little to help an organization to protect itself against the leakage of electronic-protected health data. You must actually create and enforce rules that are designed to trap unauthorized email messages. This is where the Data Loss Prevention feature really shines.
The thing that makes the Data Loss Prevention feature different from a basic transport rule repository is that Microsoft makes it possible to build a Data Loss Prevention policy from a template. There are a number of different templates that are baked into Exchange Server 2013, including a HIPAA template (it's the US Health Insurance Act template).
When you create a DLP policy based on the HIPAA template, the policy will include about half a dozen predefined rules (you are also free to create your own). Some of these rules refer to the message content. For example, there is a rule that takes action if the message contains a social security number or a Drug Enforcement Agency number.
Other rules are geared toward deep scanning email attachments. In essence if a message contains an attachment that cannot be fully processed (such as might be the case for an unknown attachment type) then the policy can take action on the message.
The Exchange Data Loss Prevention feature can go a long way toward preventing the leakage of electronic-protected health data. However, most organizations will need to customize the rules used by a DLP policy based on the HIPAA template.
And, of course, none of this supplants the value of good security training for your staff, common sense policies, and physical security of workstations and mobile devices. But when one of these policies fail (and we know they do, especially those involving the human element) you might be able to stop (or contain) a breach through use of Data Loss Prevention.