If there is any specific employee information in those communications, there's a high probability that the information contains Protected Health Information (known as ePHI or "electronic" PHI). This is the very source of information that the HIPAA Security rule is designed to protect and probably one of the most common activities that employers engage in with regard to ePHI. If this information isn't protected during transit, it's most likely that you are violating one of the provisions of the HIPAA Security Rule.

Think about the spreadsheets, databases, emails you have on your local system or on your company server. Do they contain PHI? The definition of PHI can be as simple as connecting a person to the fact that they are enrolled in a group health plan. You don't have to have specific details about a medical condition (although this would immediately increase the sensitivity of that information).

It's very common for employers to have spreadsheets of employee information as they prepare for open enrollment. Many times these spreadsheets get emailed to insurance carriers and/or brokers - in an unencrypted format. Even outside of HIPAA, in the days of exploding identity theft, if the information in these documents fall into the wrong hands, the potential damage to individuals could be tremendous. Preparing for HIPAA has the added benefit of protecting your employees from potential identity theft in addition to complying with HIPAA.

Whether it's on your local machine or a network server, the HIPAA Security Rule requires that this information be protected from disasters. The most basic disaster recovery plan involves backing up critical data and storing it in a safe place - which usually means offsite somewhere. Think of ePHI as sensitive as any other confidential information needed to run your business - give it the same protections and you'll be in good shape. If you don't do this already - now is the time to get started.