Overall objective: Determine if email systems and policy have the ability to provide confidential email
communication to its partners and employees, to protect its employees and organization from potential legal
liability, to ensure privacy and integrity of patient, clinical data, and other sensitive information transmitted
via email, and to mitigate the risk of compromising the organization’s data and systems as a result of email
communication.
Audit Steps
WP Ref.
Prepared
By
EMAIL POLICY –CONFIDENTIALITY and PRIVACY
1.Determine if there is an approved corporate email policy and if the policy stipulations mitigate the
organization’s exposure in the event of liability claims. Assess whether the policy clearly addresses the
following issues:
1.1 Email systems are the employer’s not the employee’s property and the organization has the ability and
right to retrieve, review, audit, intercept, access, and disclose any messages sent or received via email.
1.2 Only authorized personnel may inspect and monitor electronic communications.
1.3 Email communication is to be used primarily for business purposes, where ‘primary’ is defined depending
on the business culture.
1.4 Monitoring software may be used to enforce policies and filtering software may be used to filter email
content (e.g., Spam).
1.5 Email, as any other software, should not be used as a vehicle to disseminate unauthorized proprietary data,
disseminate or download unauthorized materials from the Internet, including unauthorized anti-virus or anti-
copyright infringement software.
1.6 Spells out whether employees are allowed to use the corporate network to access personal web-based
email, restricted, not at all, or occasional and incidental.
1.7 The Internet policy is integrated with the email policy and is meant to help employees understand that
outbound email communication via the Internet is not secure even if it is encrypted and that viruses can be
introduced on internal networks through web-based mail, such