Q. Would a covered entity or business associate be in violation of the HIPAA Security Rule if it sends PHI in unencrypted emails to an email address within the same domain using a Microsoft Exchange server behind the organization's firewall?
A. No. PHI can be sent unencrypted within what is called a closed network. A network that is internal to the organization and protected by a firewall is considered a closed network. If the firewall is breached and unencrypted PHI is accessed, that would be considered a breach of unsecured PHI, and breach notification requirements would apply.