Handling confidential emails with Mail Drop

Hey folks,

A client of mine uses OmniFocus. She’d like to forward emails to OmniFocus using Mail Drop, so that she can keep track of those emails in OmniFocus and process them later.

Problem is, most of the email she receives is confidential. (She’s a medical professional.) So she is not allowed to have the contents of emails residing in the OmniFocus database.

I suggested that she delete the body of any email before sending it to Mail Drop, so only the subject line will exist in OmniFocus (as the task title). But this requires that she manually delete the email body every single time she uses Mail Drop.

Can you think of a better way to handle this situation?

I believe my client uses Outlook on Windows, so Apple scripts are not an option.

— Peter

1 Like

maybe she could use omni on the web?

Hey Janov, thank you for getting back to me.

I will indeed be advising her to sign up for OmniFocus for the Web.

But your question got me wondering what my client is actually trying to achieve here with Mail Drop. So I went back and asked her. I’ll report back.

— Peter

1 Like

What you’re describing is confusing. If she’s not allowed to use MailDrop, she’s not allowed to use OmniFocus for Web—both go to the same cloud storage.

On the other hand, I’m not quite sure that just being a medical professional means she can’t use Omni Sync Server. The privacy policy states that Customer Data (i.e., anything she syncs) will be used for aggregate functions—statistics and such. They’re not reading our uploaded databases unless they receive a warrant.

So step one: email info@omnigroup.com and ask them if Omni Sync is HIPAA-compliant (assuming your client is in the US). If it is, then she only has a problem if there’s a compliance officer where she works who doesn’t take their word for it—which sometimes happens.

Plan B: build your own MailDrop. A Mac mini at the client’s home or office that’s turned on 24/7, running macOS Server and Mail.app. Set it up to connect to the local email account and receive encrypted mail from work—the email will be encrypted in transit, arrive on the server, and passed locally into Mail.app. There you can AppleScript triggers doing whatever you like—which is something I’ve been intending to do for better control than I get with MailDrop.

So for example: email arrives, Subject line and the mail message URL goes into OmniFocus. That link will be clickable on any Mac or iOS device where that email resides in Mail.app, but won’t work anywhere else.

Jeff Porten
Author, Take Control of Your Productivity

1 Like

Hi Jeff,

I appreciate your thinking with me here.

The point of Mail Drop would be to get the body text of emails into OmniFocus. The body text will help her complete the tasks associated with the email. It’s all right to have email subject lines in OmniFocus, she said, but not the body text.

So using Mail Drop as it is is not okay for her, because the body text of emails would end up in OmniFocus. But using OmniFocus for the Web is fine, because all that would help her do is manually add tasks to OmniFocus for processing emails.

— Peter

The question is what is going to cloud storage. If there’s PHI being exfiltrated from the employer’s systems that is a big problem. The client is right to be cautious about this.

The question is if Omnigroup is authorized to possess it, or the client is authorized to move it off her employer’s systems. But you’re right, she should be able to use Mail Drop, if she can do so without sending any PHI. I’d also keep in mind the employer’s IT should have a record of all emails sent through her work account, so all the mails sent to OmniSync could be audited.

What… this is not how it works. OmniGroup needs to sign a contract with the employer to become a Business Associate authorized to handle their PHI. Probably too much effort for the given use case.

Sending work mail to a homebrew server is just a bad idea if you’re in the healthcare field (or you’re the Secretary of State…).

The client just needs to delete attachments and remove sensitive data from the email body. Or limit Mail Drop to things that aren’t sensitive, which is what I do.

1 Like

@peterakkies: I would confirm with her what the exact issue is. For example:

If the issue is she can’t send/host confidential data in servers outside of the employer (which is very common), then Mail Drop won’t work. But omni sync in general would also be breaking the rules. Even if you were to copy/paste the info from Outlook to OmniFocus, when it syncs to another device, you’ve now sent the data to omni’s servers. That may be against the company policy. The same applies to Omni for Web.

They only ways around this would be to either:

  1. Use OmniFocus on a single, company owned (or approved) device and have Omni Sync off (data stays in the device), or
  2. Get the IT team at the company to build a WebDAV server inside the company network and use that for sync.

I hope that helps

To be clear, I’m not an expert on HIPAA, but I’ve worked with several clients on merging their workflows with the standards used at their workplaces, and have hit HIPAA regulatory websites for clarification of some policies.

As I understand it—and you’re welcome to tell me you have more subject matter experience than I do—there’s an issue with PII exposure to Omnigroup if it arrives on a server in plaintext format. If it’s encrypted end-to-end and only in the clear when it leaves the internal network and when it arrives on the client’s machine in OmniFocus, this would be a kosher implementation. I’m fairly sure that encrypted SMTP to her initial server would be sufficient for this.

The policies I’ve read say that transmitting PII for legitimate work purposes is allowable so long as reasonable due diligence is taken. The kind of hoops you’re talking about are necessary if we’re talking password access to large amounts of personal data. So—again, as I understand it—forwarding a PII email to personal Gmail would be forbidden because Google admins can inspect it (and every email passing through there is automatically scanned by AI). I suggested getting in touch with Omni to find out if their servers are set up like Gmail or like Apple iMessage, which can’t be inspected.

If they can read it, possibly. The regulations say that end users have to meet reasonable standards—an email with limited data, if breached, is reasonable so long as steps are taken to avoid it, and steps are taken to prevent it after discovery. Her employer may have more stringent standards in place to avoid legal issues, but what you’re saying is not universally applicable.

It’s fine if you can document that you’ve complied with federal and other regulations, and you’re meeting with the standards of your organization. Running a local server is one way to be certain you know what’s happening end-to-end, provided non-technical folks get professional help with implementation. The primary issue with HRC is that she didn’t get good admin help—but it is entirely likely that her home server was more secure than the State Department’s, which we know for a fact was breached:

Sure, but if your goal is to get your inbox filled with the least amount of effort, this is suboptimal. I would advise a client to jump only through necessary hoops, and follow the procedures you suggest only when they’re actually necessary. They haven’t been in the cases I’ve worked on.

I’ve been through the HIPAA training but don’t have to deal with it day to day, other than following the standards when I have access to PHI.

The email would be encrypted in transit using TLS, which is fine. But there’s an intermediary step where it sits on the OmniGroup server in plaintext until it’s imported into the user’s database.

The second question is whether the client’s employer allows any PHI to reside on personal devices, even for work purposes. At my company this is actively discouraged. A quick web search for HIPAA and BYOD brings up a lot of articles highlighting the risks. It doesn’t seem to be patently illegal, though.

The Mail Drop part of OmniFocus is not like iMessage because, as noted above, the emails arrive at the OmniGroup server in plaintext. To encrypt email contents (not just the connection) you need additional software like PGP. Other than that, OmniFocus sync is end-to-end encrypted. However, for local storage it relies on the user to have encryption turned on (using FileVault on the Mac; iOS storage is encrypted as long as you haven’t set it to never lock, I believe).

I’d agree there is some gray area, and HIPAA has some tolerance for ‘incidental’ disclosures. In this case, we’re talking about possibly multiple emails a day with PHI being transmitted out of the employer’s systems, as part of the client’s regular workflow. As an ever-increasing volume, it seems more than incidental. I really think the client should get clarification from her employer if she wants to move any PHI outside the company.

Why not use something like Zapier? star/tag a mail get Zapier to just send the subject line to OF mail drop. Zapier does allow for filtering what gets sent if I remember correctly.

I would possibly look at something like DevonThink to store the full emails as this would mean they are encrypted stored locally only and can be cross referenced in numerous ways using DT AI

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.