Does Exchange 2007 with an SSL certificate (3rd party verification not self-generated) encrypt in order to use a fax server with Exchange that contains PHI?

Posted on 2010-01-08
Last Modified: 2012-05-08
We have a fax server that does not have IIS and is behind a firewall. Our Exchange server (which does have IIS and also behind the firewall) is covered by our SSL for the OWA and ActiveSync. I want to have the fax server integrate with Exchange in order to help us work towards having a smaller paper footprint. Our faxes contain PHI from insurance companies and medical facilities. I know that Outlook 2007 and Exchange OWA "encrypt" email if directed through port 443 but is it safe for sending faxes through the system or does it violate HIPAA?
Question by:Thom Gann
    LVL 33

    Expert Comment

    by:Dave Howe
    the fax server should be using SMTP (not owa) to send the email - the encrypted form (called smtps or smtp/tls) is fully supported on 2007 and in fact can be enforced (rejecting non-TLS mail on that listener; you would probably want to set up such an enforcing listener specifically for this task)

    Author Comment

    by:Thom Gann
    The fax server does use SMTP but the HIPAA violation would come when someone opens their email on a PDA or OWA because then the email with the fax attachment would be vulnerable. It is for this instance that I am trying to research to what degree the SSL encrypts the email. If it does not keep it contained in encrypted format no matter the access point then I will not able to move to a fax server solution with Exchange, rather a folder delivery which defeats the entire purpose. I do appreciate your feedback.
    LVL 33

    Accepted Solution

    That is purely a config issue, but yes, you should not be serving either OWA or RPC-over-HTTP without it being HTTPS - that being the case, it should be heavily encrypted in both cases.

    However, the normal mode of access on the lan (MAPI) is not so heavily encrypted, and of course that is purely transport encryption - the data itself will be stored, unencrypted, in the email database (and probably in backups too)

    Author Closing Comment

    by:Thom Gann
    Everything is now over HTTPS and the backups are not an issue as they are completely inhouse and not available outside of IT. Thank you for the help.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now