Export (0) Print
Expand All

Enable and Disable HIPAA Rules


Applies to: Forefront Online Protection for Exchange

Topic Last Modified: 2012-08-21

You must be subscribed to the optional Exchange Hosted Encryption service in order to enable the HIPAA policy filter. The option to enable the HIPAA rule set appears in the Policy Filter Settings section on the Administration tab for customers subscribed to Exchange Hosted Encryption. For more information, see Understanding Additional Subscriptions with FOPE.

You can enable rules in Forefront Online Protection for Exchange (FOPE) that can help your organization comply to the United States Health Insurance Portability and Accountability Act (HIPAA). If you subscribe to the optional Exchange Hosted Encryption service, you have the ability to enable an outbound encryption rule by using a policy filter that evaluates outbound email for matches to phrases that, if used in email, require the email to be encrypted, according to HIPAA.

The HIPAA rule set option will display on the Policy Filter Settings section of the Services pane on the Domains tab. The only administrator action is to turn on or off the HIPAA filter in the Policy Filters area. Nothing will appear in the Policy Rules section as a result of this action, though the filter enacts a set of rules to evaluate outbound messages. You cannot modify the rule sets described in the table here, it is provided for your information only.

Two sets of keywords are used to determine if a message should be encrypted. When the HIPAA rule set is enabled, a message will be encrypted if a keyword or pattern from the first rule set is used AND a keyword or phrase from the second set is matched in the same message.

The message subject and body are scanned for matches in both of the following rule sets.


Rule Set 1 Rule Set 2
  • Mr.
  • Ms.
  • Mrs.
  • Miss
  • St.
  • Pl.
  • Ave.
  • Ct.
  • ‘PO Box’
  • ‘P.O. Box’
  • DOB
  • d.o.b.
  • ‘date of death’
  • death:
  • ‘release date’
  • ‘admit date’
  • ‘date of admission’
  • Age:
  • ‘(ddd) ddd dddd’
  • ‘ddd-ddd-dddd’
  • *@*.com
  • *@*.net
  • *@*.gov
  • *@*.biz
  • SSN
  • ‘Social Security Number’
  • ddd-dd-dddd
  • Account Number:
  • Acct.:
  • Acct. #
  • ‘Certificate Number;’
  • ‘Certificate #’
  • ‘License Number:’
  • ‘License #:’
  • ‘/~*’
  • *.*.*.*

  • insured
  • claimant
  • adjuster
  • ‘date of incident’
  • ‘claim #’
  • ‘claim number’
  • ‘medical record’
  • ‘subscriber ID’
  • ‘mammogram’
  • ‘radiological film’
  • x-ray
  • xray
  • injury
  • ‘micro film’
  • ‘ct scan’
  • MRI
  • myelogram
  • ‘dental film’
  • ultrasound
  • tomogram
  • ‘cine film’
  • ‘video film’
  • ‘body scan’
  • confidential
  • pathology
Enable or disable message filtering with the HIPAA rule set
  1. On the Administration tab, click the Domains tab.

  2. In the Domains list, click the domain that you want to modify. You can search for a specific domain name by using the search box.

  3. In the Policy Filter Settings section of the center pane, next to HIPAA rule set, click Enable or Disable, depending on the action you want to take.

  4. When prompted, click OK to confirm your decision. If you are enabling the HIPPA rule set, you will be prompted to read a disclaimer, and then accept the disclaimer, before you confirm your decision.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft