Jump to content


Notifications for outbound HIPAA violations

encryption hipaa outbound filter

  • Please log in to reply
3 replies to this topic

#1 tech-ut

  • Members
  • 2 posts

Posted 21 June 2019 - 03:33 PM

We use a custom text pattern to apply encryption to outbound messages.  But we would also like to the outbound predefined filters for HIPAA, which as  I understand should automatically block,quarantine, or encrypt outbound messages that match those filters.  


This is great, it might catch and encrypt some outgoing emails that were sent without the user entering our custom text pattern.  But managers need to know when this is happening so they can train users appropriately.  In fact a message both to the sender and the manager saying "this message contains PHI and should have been encrypted" would be optimal.  


Does anyone know of a way to do this?

#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 409 posts

Posted 21 June 2019 - 05:33 PM

Are you asking for an email to go back to the sender and the admin if an email hits a encryption policy.

If so we have a feature request for that but it is not a very high priority as we have only seen a small number of customers request.

You can however from the message log do a simple search for all recent encrypted messages 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300

#3 Josh

  • Members
  • 5 posts
  • LocationMassachusetts, USA

Posted 24 June 2019 - 06:27 AM

I would be extremely cautious about using the HIPPA encryption rule. We use it here and get well over 80% false positives.  Part of what it flags on are address and phone number along with a medical term. so say for instance someone has a signature on their email and that signature had their company address and their desk number there are the required 2 identifiers, now if there is any term that can be even loosely related to medical for example exam something our teachers write a lot.  now that message is encrypted.  We have this rule enabled out of necessity, but, I much prefer the manner our previous email security (Cisco Ironport) worked it was much more granular.  Also, don't be fooled by the "you can add exceptions" advise.  Exceptions are limited to address and phone number. we have over 200 Phones and you can't use wild cards the exceptions build a list with one number per line so after my bulk import i have under my exceptions 200 single lines with phone numbers on it. The encryption by rule feature is incredibly important today, however much like the boy that cried wolf, with so many false positives and the frustration found by recipients who either cannot get to the ESS site to open the message or have the encrypted messaged filtered out by their own email security, it is driving users to circumvent institutional email and sending business content via personal web-mail / ISP email accounts. 

#4 tech-ut

  • Members
  • 2 posts

Posted 24 June 2019 - 10:05 AM

Thank you for the info.  I have a family member that works for a medical firm and whenever she accidentally emails PHI outside their organization, she gets contacted by IT asking why she did that.  That notification is what I was looking for.


It sounds like the HIPAA encryption rule may not be customized enough to be effective.  I want to avoid any false positives.