Data Loss Prevention (DLP)
Data Loss Prevention
The HIPAA Privacy Program is working in conjunction with The University of Arizona's Health Care Components (HCCs) and University Information Technology Service (UITS) to help improve the security of our email systems. This involves the use of a data loss protection (DLP) solution. The DLP solution helps the University of Arizona reduce risk for its end users when sending Protected Health Information (PHI) via email.
How does DLP work?
All PHI is required to be sent encrypted via email. The DLP is designed to detect unencrypted email being sent from the HCCs. If the sender encrypts the email the DLP will verify the encryption and take no further action.
When someone in a HCC sends an email containing PHI unencrypted, the DLP is triggered and identifies the presence of the PHI using automated processes. It then encrypts the email and notifies the sender that the email has been encrypted.
Sensitive data should be redacted from email whenever possible, and all users should manually encrypt any email containing PHI. Here is the link for how to encrypt email in Office 365.
Frequently Asked Questions
All departments, clinics, and programs that handle PHI at the University of Arizona or are designated a Health Care Component (HCC) under the University of Arizona's hybrid designation are enrolled in the DLP solution.
The DLP is not designed to replace self-encryption. No DLP is perfect and your email could still be sent unencrypted.
For INTERNAL users, email will still be viewable through the normal email clients. ( e.g. Outlook, OWA)
For EXTERNAL users, they will use a 2 step approach to view the email:
- Double click on the attachment from within the encrypted email, and request a one time PIN
- one-time PIN will be emailed to the same email address.
- Use one-time PIN to open up the encrypted email.
No, only emails that trigger DLP will be encrypted.
No. Any event of an unauthorized user given access to PHI via email must be reported to the HIPAA Privacy Program. If you mistakenly sent sensitive data to an unauthorized individual, instruct the recipient to delete the email, and report the incident to the HIPAA Privacy Program.
DLP will be enabled globally for all HCCs and units handling PHI. If you do not send sensitive data within these units, this implementation will have no impact on you.
PHI is personal information + any health information that could be used to identify an individual. If you are not sure if your data is PHI, please contact the HIPAA Privacy Program.