As part of the ongoing effort to be good stewards of our clients' data, BAS has implemented an outgoing email encryption process.
Every day, BAS receives hundreds of emails from client administrators and employees inquiring about benefits. Often, these messages result in a series of back-and-forth email discussion chains.
Though such email activity is unavoidable, frequently, administrators and employees include protected health information (PHI) and personally identifiable information (PII) in their initial or follow up emails without realizing the potential danger of such actions. Sending emails with PII and/or PHI may be considered a violation of the Health Insurance Portability and Accountability Act (HIPAA) and could put such data at risk.
Email messages ‘hop’ across many Internet Service Provider’s servers (ISPs) between the time the email is sent and before the email reaches BAS email servers.
At each hop, the ISPs have access to all of the email content and attachments that passes through their systems. While it is improbable that any one of the emails sent to BAS would be picked up at any hop point out of the millions of emails that pass through an ISPs system in a day, it is not an impossible occurrence. Further, within the sender’s own email system, the emails may be accessible by personnel not otherwise privy to the confidential data.
Though BAS cannot control what administrators and employees send to its servers, we can control how those emails move out of our email systems.
BAS Outgoing Email Encryption
BAS Outgoing Email Inspection
All emails BAS employees send pass through BAS' Cisco IronPort encryption system (IronPort) and are evaluated for HIPAA content (PII and/or PHI).
If IronPort detects a BAS outgoing email subject, body and/or attachment containing PII or PHI, it will encrypt the email and send it, automatically.
Opening BAS Encrypted Emails
If you receive an encrypted email from BAS, the first time, you will need to setup your Cisco Encryption Account (CEA). You CEA is an account that identifies your email server and personal inbox for use not only with BAS’ Cisco encryption system, but with any other Cisco encryption system you may encounter with other organizations.
Setting Up Your Cisco Encryption Account
It is a very simple and quick process to setup a CEA. When you receive the first BAS encrypted email, simply double-click on the attachment titled “SecureDoc.html.” Immediately, your browser will open displaying an image of an envelope on which will be instructions and data fields for setting up your CEA Account. Once you proceed through the setup process, return to your email and, again, double-click on the attachment titled SecureDoc.html; your email will open and any attachments will be readily available.
Subsequent Encrypted Emails
Once you have set up your CEA, you will be able to open future encrypted emails by double-clicking on the attachment titled SecureDoc.html and entering your CEA password, accordingly.
BAS' email encryption process is just one of the many security steps BAS takes for compliance with HIPAA and guidance issued by the National Institute of Standards and Technology.
