How often do I need to do a security risk assessment (SRA)?

It depends upon what you are emailing. If you are sending PHI, yes, you should encrypt. If you are sending records, you can easily encrypt through Winzip. Your other option is to put the document on a secure server that is encrypted. There are any number of google drive, godaddy service, dropbox, and others. Window 7 and 10 have included full drive encryption on the software. You can do a pdf and encrypt it. You can encrypt CD’s, and there are encryptable USB drives, if you wish to send electronic Protected Health Information. One thing to consider is that faxing is not considered an electronic communication under HIPAA, therefore the security regulations do not apply to it. Faxing information is considered a secure way to transmit ePHI, though it is not infallible (e.g. faxing PHI to the wrong party).