You would also need to familiarize yourself with these HIPPA Security policies :

•45 CFR Part 142, § 142.308 (c). “Technical security services to guard data integrity, confidentiality and availability.” These are processes that protect information and control individual access to information.
•45 CFR Part 142, § 142.308 (d). “Technical security mechanisms.” These are
controls that prevent unauthorized access to information that is transmitted across
an internal network or across the public Internet

Also there are key requirements for exchanging PHI over the Internet:

*Email attachments and forms, must have encryption, Authentication, and authorization controls to ensure their integrity

*Make sure your technology secures e-mails, and their attachments, without impacting an organization’s existing workflow, receiving or sending PHI

*Make sure HIPAA compliance protection based on specific terms such as patient social security numbers are applied

*Enables data to be protected and delivered by securing middleware Web servers, Mail Servers or Mail Clients. This protection includes the ability to track, audit, and expire messages or data in the email to ensure that patient information has been properly disclosed in accordance with existing corporate policies. Protection should be extended to e-mail even after it’s delivered to a recipient’s Inbox

*Recipients can view and reply to protected e-mail or webforms using a standard Web browser