Start with policy: which messages may contain PHI, which require portals or enforced encryption, and how patients opt in to alternate channels.
BAA coverage must extend to mail gateways, archiving vendors, and mobile device configs.
User training on subject lines and autocomplete mistakes prevents the classic wrong-recipient breach.
If you cannot retrieve it, you cannot defend it—or release it to patients.
Speed and documentation matter more than perfection in the first hour.
If a vendor touches PHI on your behalf, paperwork should match reality—not a dusty PDF no one read.
Fax persists in healthcare because it is familiar—not because it is magically secure.