Today I will set up an email disclaimer. Taken from the HIPAA regulations guidelines for Protected Health Information (PHI), there are specific sets of disclaimers that must be employed depending upon the mails contents. For all company email, a disclaimer must be added to the bottom, stating “The materials in this email are private and may contain Protected Health Information. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying, distribution or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via (123) 123-1234 or return email.”

We will set this one up first. Open up Exchange Management Console, and click Hub Transport under organization Configuration. Then click the Transport Rules Tab. Click New Transport Rule.

Name it something appropriate- in my case it is named HIPAA Disclaimer.

I want this disclaimer set to only apper on new emails sent to people who dont work in the company- people inside the company KNOW the emails are sensitive.

So I select from user inside or outside the organization and sent to users inside or outside of the organization.

Edit Transport Rule

Edit Transport Rule

In the lower window I then click the blue links in each subject, and change the from sentence to inside, and the to sentence to outside. This rule now only applies if someone from my domain mails someone not from my domain. Click next (you might add more conditions if you wish).

Under actions, select the check box for append disclaimer text using font, size, color, with separator and fallback to action if unable to apply. Now click the blue link at the bottom. We will leave append as append, and change the disclaimer text to our disclaimer. Make sure once you enter your text you copy it to the clipboard, you’ll need some of it in a second. Personally, I also check the box that says send a BCC to address. I do this for compliance- one copy of every emails gets sent to a mailbox I have set up named general correspondence. This email is kept for 2 years, and potentially contains confidential information. I also changed the color and font size of the disclaimer, though that is completely up to you.

Click Next. Exceptions- these are things that will prevent the rule from completing. I select except when the text specific words appears in the subject or body of the message… I click specific words, and enter in the value of our disclaimer, which I copied from the transport rule. This tells Exchange to not append this disclaimer if it already exists- it will display only once in each conversation. Cool. NOTE: For the sake of explanation, I also check the box except when message is marked as importance, and change the importance to Importance High. this will not apply to most people with a simple disclaimer, and I will explain in a few moments.

Click next and update, and you are done.

Now, the reason I made the additional BCC rule and exception: HIPAA requires that we have a disclaimer on all email, appended. They also require that we PREPEND the same disclaimer if the message DOES contain PHI. This situations can be applied to any business, it does not have to be healthcare. So, to comply, let’s make our second rule. It is going to be nearly the same, except for a few selections.

Edit Actions

Edit Actions

Create a new rule, I named it PHI. The same to and from rules are selected- in addition I select the condition and marked with Importance High. I click next and add prepend the subject with string and for the value I put Protected Health Information:. This makes this the beginning of the subject line on emails to which this applies. I also select apply message classification, and change that to ExCompany Confidential. I then select append disclaimer text using font blah blah. On the bottom, I add the same disclaimer text as before, but this time I change the word append to prepend. I also change to color to red. Then complete the rest of the steps the same as above- I even Bcc a different mailbox (named PHI correspondence), which gets retained for 4 years.

Total, these two rules do the following:

When emailing someone outside the company, a disclaimer is added, the email is saved.

When a user marks the message as High Importance, a different disclaimer is added to the top, PHI is added to the subject, and the email is saved in a different mailbox.

There are better things to do to retain email, but this works for me. Asking my users to categorize every email they interact with or move emails into public folders for retention does not work- I tried. this is the most simple solution I could come up with to categorize general and administrative emails for eDiscovery.

A GREAT article can be found here at MSExchange with more screenshots.