Practice - Creating an Audit Policy for HIPAA

In this example, you will use the predefined HIPAA Glossary entries that are provided with ZixGateway to pre-test the effects of applying two encryption policies. The first policy records the messages that contain HIPAA information in the body or attachments. The second policy records the messages that contain HIPAA information in the subject.

To create an audit policy:

1. On the Status tab, select a cluster.
2. On the Manage Policies tab, select the Content tab.

Create an audit log for messages that contain HIPAA information in the body or attachments.

3. Enter “HIPAA-Body_Atachments” in the Label field.
4. Select the arrow next to the From field and enter “*@marketing.zixcustomer.com”, then click Add Pattern.
5. Select the arrow next to the To field and select Enable All Patterns.
6. Click .

The Glossary and Bindings dialog displays.

7. In the HIPAA Violation (standard) row, select Body and Attachments.
8. Click OK.

You are returned to the Content tab.

9. In the Send Options row, select Send, Encrypt & Send, and Send Unencrypted.
10. For Output Type select Audit (not matched).
11. Click Apply.

Create a log for those messages that contain HIPAA information in the subject.

12. Enter “HIPAA-Subject” in the Label field.
13. Select the arrow next to the From field and enter “*@marketing.zixcustomer.com”, then click Add Pattern.
14. Select the arrow next to the To field and select Enable All Patterns.
15. Click  

The Glossary and Bindings dialog displays.

16. Select Subject the HIPAA Violation (standard) row.
17. Click OK.

You are returned to the Configure a Content Policy form.

18. In the Send Options row, select Send, Encrypt & Send and Send Unencrypted.
19. For Output Type select Log (matched).
20. Click Apply.

You have created Audit-Log policies that you can use for testing to see if the application of two HIPAA Encryption Policies will achieve the desired results.

• You can send test messages with sample medical and patient information in the message body and attachments and see from the content.log file whether the test messages would have been sent encrypted. In this case, emails with no HIPAA violation should be written in the log file with a first line of <Audit Entry>.
• You can send test messages with sample medical and patient information in the message subject line and see from the content.log file whether the test messages would have bounced. In this case, emails with HIPAA violations in the Subject should be written in the log file with a first line of <Log Entry>.

View the audit results on the Content Log Server that you specified when you configured your ZixGateway appliance. See Viewing Audit-Log Results.

Main Topic

Practice