Transmission Security Policy

5. Procedures

1. ENCRYPTION REQUIREMENTS FOR TRANSMITTED ePHI

1.1 All ePHI transmitted over external (public) networks shall be encrypted using current, industry-standard encryption protocols: - Web traffic: TLS 1.2 or higher (HTTPS), with TLS 1.3 recommended for data in transit where supported. TLS 1.0 and 1.1 are prohibited. - Email: TLS encryption enforced for email systems that transmit ePHI. Where TLS cannot be verified, use a HIPAA-compliant encrypted email service or portal-based secure messaging. - File transfers: SFTP, FTPS, or SCP. Unencrypted FTP is prohibited for ePHI. - Remote access: VPN with AES-256 encryption, or equivalent secure remote access solution. - API communications: HTTPS (TLS 1.2+) for all API calls transmitting ePHI.

1.2 Internal Network Transmission: Encryption of ePHI transmitted within [PRACTICE NAME]'s internal network is [REQUIRED/ADDRESSED THROUGH ALTERNATIVE MEASURES — specify]. If encryption is not implemented for internal transmissions, the practice shall document the alternative security measures (e.g., network segmentation, physical security of network infrastructure) and the rationale per 45 CFR § 164.306(d).

1.3 Wireless Networks: ePHI shall not be transmitted over wireless networks unless the network is encrypted with WPA3 or WPA2 (AES). Open or WEP-encrypted wireless networks shall never be used for ePHI. Guest wireless networks shall be segregated from the network used for ePHI systems.

2. INTEGRITY CONTROLS FOR TRANSMITTED ePHI

2.1 Transmission protocols used for ePHI shall include built-in integrity verification. TLS, SSH, and IPsec all provide integrity checking as part of the protocol.

2.2 For batch file transfers of ePHI (e.g., claims files, lab results), the receiving system shall verify the completeness and integrity of the transfer through record counts, checksums, or hash verification.

2.3 If integrity controls are determined not to be reasonable and appropriate for a specific transmission method, the decision shall be documented with alternative measures per 45 CFR § 164.306(d).

3. EMAIL CONTAINING ePHI

3.1 Workforce members shall not send ePHI via standard unencrypted email unless the email system enforces TLS encryption with the recipient's mail server.

3.2 If the practice cannot verify that TLS is enforced end-to-end, ePHI shall be sent using: a HIPAA-compliant encrypted email service (e.g., [SERVICE NAME]), the patient portal's secure messaging feature, or a password-protected encrypted attachment with the password communicated through a separate channel.

3.3 Workforce members shall verify the recipient's email address before sending ePHI to prevent misdirected emails.

4. FAX TRANSMISSION

4.1 Whether a fax transmission falls within the scope of the Security Rule's transmission security requirement turns on whether the information existed in electronic form immediately before and/or after the transmission, not merely on the type of device used. A traditional paper-to-paper fax sent over the public switched telephone network (PSTN) — paper fed into an analog machine and printed on paper at the other end — transmits information that is not in electronic form (ePHI) at either endpoint, so the PSTN acts as a mere conduit and such a transmission is generally outside the ePHI transmission security requirement. This does not, however, relieve the practice of its other privacy and physical safeguard obligations for the paper PHI involved.

4.2 By contrast, IP-based or computer-based fax (eFax, cloud fax, fax servers, or any fax that originates from or is delivered to an electronic system) handles ePHI in electronic form and is within the scope of this policy; such transmissions shall use encryption (TLS or equivalent) and meet the integrity controls in Section 2.

4.3 Regardless of fax type: verify the recipient fax number before transmitting, use a cover page marked "Confidential — contains protected health information," and confirm delivery.

5. PROHIBITED TRANSMISSION METHODS

5.1 The following methods shall not be used to transmit ePHI: unencrypted email (unless TLS is verified), standard text messaging (SMS/MMS), consumer-grade messaging apps (iMessage, WhatsApp, Facebook Messenger) unless evaluated and approved by the Security Officer. Approval of any messaging application for ePHI requires more than encryption alone: the Security Officer shall complete a documented risk analysis of the application, confirm that appropriate access controls (authentication, device controls, and the ability to remotely wipe or revoke access) are in place, and ensure a Business Associate Agreement is executed with the vendor where the vendor creates, receives, maintains, or transmits ePHI on the practice's behalf. Encryption is necessary but not sufficient for approval. Other prohibited methods include unencrypted FTP, and public file-sharing services (Dropbox, Google Drive personal accounts) unless a HIPAA-compliant enterprise version with a signed BAA is in place.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Defines transmission security requirements. Evaluates new communication tools and methods for compliance. Reviews exceptions and alternative measure documentation.

IT Manager/Vendor ([IT CONTACT NAME]): Configures and maintains encryption on all transmission channels. Manages the VPN, email encryption, and secure file transfer infrastructure. Monitors for protocol downgrade attacks and expired certificates. Ensures wireless networks meet encryption requirements.

All Workforce Members: Use only approved methods for transmitting ePHI. Verify recipient information before sending. Report any transmission errors (misdirected fax, email to wrong recipient) immediately as a potential security incident.

7. Review Schedule

This policy shall be reviewed at least annually and updated to reflect changes in encryption standards, communication technologies, and regulatory guidance. TLS configurations shall be reviewed at least annually to ensure deprecated protocol versions are disabled.

8. Documentation

This policy and all related records (encryption configurations, exception and alternative-measure determinations under 45 CFR § 164.306(d), and transmission-incident reports) shall be documented in writing and retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later, as required by 45 CFR § 164.316(b)(2)(i). Documentation shall be made available to those responsible for implementing the procedures and shall be reviewed and updated periodically in response to environmental or operational changes affecting the security of ePHI, per 45 CFR § 164.316(b)(2)(ii)–(iii).

9. Regulatory References

45 CFR § 164.312(e)(1) — Transmission security (Required) 45 CFR § 164.312(e)(2)(i) — Integrity controls (Addressable) 45 CFR § 164.312(e)(2)(ii) — Encryption (Addressable) 45 CFR § 164.306(d) — Implementation specifications for addressable safeguards 45 CFR § 164.402 — Definition of unsecured PHI (encryption renders PHI "secured" only when it meets the HHS/NIST standards specified in HHS breach safe-harbor guidance; encryption that does not meet those standards does not qualify) 45 CFR § 164.316 — Documentation (maintain written policies and retain documentation for 6 years) NIST SP 800-52 Rev. 2 — Guidelines for the Selection, Configuration, and Use of TLS Implementations HHS Guidance on Securing ePHI on Mobile Devices and in Transit