Recently a close family member spent some time in the hospital. Luckily everything turned out okay and they have since returned home. But while there I noticed that the hospital staff was very rigorous in their guarding of patient’s privacy and of their records in particular.

Only immediate family members were understandably allowed to be in the room. Information was freely given which helped us to understand our family member’s illness. But never were any hospital records left in our view. And even at the nurse’s station all records and patient related information were out of view.

All medical documents have to be completed and protected as per the laws which govern patient’s privacy. And anything electronic must also meet requirements and standard for the medical industry. Likewise, email for that field must conform to rules and regulations that protect patient information.

Protection and compliance with privacy laws is not just for the healthcare field alone. All email administrators must be aware of the email laws and regulations that are specific to their own business fields as well. Luckily there are many technologies that can be used for the various industries. Those technologies include:  authentication, encryption, content filtering, hardened message server software, and archiving, as well as anti-spam and anti-virus software.

Here then is a list of the various email compliance laws that exist for a majority of businesses and industries:

1. HIPAA – The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed by congress to ensure that the healthcare industry handled patient information in a secure manner. Many of the requirements affected how securely information was communicated. HIPAA mandated that healthcare organizations must protect email messages that contain health information whether they are encrypted or not. Even email messages that are referenced from unencrypted links must be protected. It also specifies that sender and recipient identities must be authenticated and verified. Both stored information and transmitted information must be protected to adhere to HIPAA standards. Security technologies such as encryption are used to protect electronic health information from unauthorized access.
2. SOX – The Sarbanes-Oxley Act (SOX) was enacted on July 30, 2002. The Sarbanes-Oxley Act was named after its sponsors, Senator Paul Sarbanes and Representative Michael Oxley. Its main purpose was to ensure that a high level of accountability and transparency was maintained by public companies. It defined significant financial reporting and auditing practices for publicly traded companies. There are two sections of the legislation which affect the transmission of electronic messages: sections 302 and 404. Taken together, these sections specify the secure measures that must be applied to the electronic message systems of publicly traded companies. These security requirements include: Identification of information that must be kept confidential; Identification of individual message senders; Secure transmission of email; Hardening of email servers that store confidential information; Tracking and logging of message communications; Auditing capabilities; Message indexing; archiving; and retention.
3. GLBA – The Gramm-Leach Bliley Act (GLBA) was signed in 1999 and became fully effective in 2001. It is specific to the financial services industry and is meant to protect consumers’ private financial data. The act defines private data as “Nonpublic Personal Information”, also known as NPI. The GLB is similar to the HIPAA security requirements with respect to data that is stored and in transit – both data states must be encrypted. Within the GLBA are several rules which apply to the security of email traffic. For instance the Safeguards Rule refers to tools that can help to encrypt or block email traffic based on sender, recipient, and content. It describes the process by which companies must take actions to protect NPI data. Companies must also demonstrate logging and reporting capabilities, anti-spam, anti-phishing and protection from viruses.  The Financial Privacy Rule allows for opt-out policies, privacy notices and basically the collection and use of NPI data.
4. The securities industry is governed by the Securities Exchange Commission (SEC) and National Association of Securities Dealers (NASD). Both organizations have enacted regulations mandating the archival, indexing, and storing and retrieval of electronic communications including email.
5. The hedge fund industry is also governed by the Securities and Exchange Commission (SEC). Hedge funds, also known as private investment pools, must meet security requirements related to the securing, managing and archiving of all electronic communication, including email and instant messages.

In addition, the OCC Advisory on Electronic Record Keeping mandated security standards for electronic retention systems that are to be implemented by the banking industry.