Does Exchange 2007 with an SSL certificate (3rd party verification not self-generated) encrypt in order to use a fax server with Exchange that contains PHI?
We have a fax server that does not have IIS and is behind a firewall. Our Exchange server (which does have IIS and also behind the firewall) is covered by our SSL for the OWA and ActiveSync. I want to have the fax server integrate with Exchange in order to help us work towards having a smaller paper footprint. Our faxes contain PHI from insurance companies and medical facilities. I know that Outlook 2007 and Exchange OWA "encrypt" email if directed through port 443 but is it safe for sending faxes through the system or does it violate HIPAA?
Dave Howe
the fax server should be using SMTP (not owa) to send the email - the encrypted form (called smtps or smtp/tls) is fully supported on 2007 and in fact can be enforced (rejecting non-TLS mail on that listener; you would probably want to set up such an enforcing listener specifically for this task)
ASKER
The fax server does use SMTP but the HIPAA violation would come when someone opens their email on a PDA or OWA because then the email with the fax attachment would be vulnerable. It is for this instance that I am trying to research to what degree the SSL encrypts the email. If it does not keep it contained in encrypted format no matter the access point then I will not able to move to a fax server solution with Exchange, rather a folder delivery which defeats the entire purpose. I do appreciate your feedback.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Everything is now over HTTPS and the backups are not an issue as they are completely inhouse and not available outside of IT. Thank you for the help.