A patient’s e-mail address is PHI, and where research is conducted by research teams including members of the University’s hybrid entity, a research participant’s e-mail address is PHI. E-mailing patients or research participants involved in such research studies, or e-mailing PHI to others within the University community or beyond, is discouraged. E-mails are always subject to some level of security risk, can be sent to the wrong address, and can be forwarded to others who should not receive them. Use alternate, and more secure, forms of communication whenever possible.
In the event you determine that e-mail of PHI is necessary, you must ensure that you meet the guidelines contained in this Appendix.
University e-mail encryption tools must be used for all e-mails:
- to patients;
- to research participants involved in research studies that include members of the University’s hybrid entity; and
- to individuals or organizations other than patients or research participants that contain PHI.
In certain limited circumstances described below, use of unencrypted e-mails may be used.
E-Mailing Research Participants
If you are working on an IRB approved research study, you may be granted an exception to using encryption tools for e-mailing research participants as part of the HIPCO ancillary review process. Such exceptions will be granted only where research participants have signed a written authorization (in a form approved by HIPCO) permitting the use of unencrypted e-mails, the information to be transmitted via e-mail is limited in nature, and any other conditions required as part of the HIPCO ancillary review process are met.
If you are working in a clinical unit, you may use unencrypted e-mails to communicate with patients in the following limited circumstances, provided you also comply with the requirements of the clinical unit concerning e-mails:
- the patient initiates the communication, your response is limited and reminds the patient that more secure methods of communication are preferred;
- the patient has signed a written authorization (in a form approved by HIPCO or the clinical unit) permitting the use of unencrypted e-mails; or
- the communication is necessary for patient safety.
Health Plan Beneficiaries
PHI of individual health plan beneficiaries should not be included in e-mails (unless the information is being submitted by a secured transmission to a University health plan administrator). Information that indicates health plan enrollment or disenrollment status is not PHI and can be emailed.
In limited circumstances, unencrypted e-mails containing PHI may be sent to individuals other than patients, research participants or health plan beneficiaries, provided the following conditions are met:
- The communication is sent to another e-mail address within the University, University of Minnesota Physicians, or Fairview;
- The communication is sent only to those who have a legitimate purpose for receiving the information (such as those involved in treatment, payment for treatment, or some type of healthcare operation, including quality assurance, peer review, training or education);
- The communication is not of an on-going or recurrent nature, but is limited to a one-time communication (unless you have received written authorization from HIPCO authorizing on-going or recurring communications);
- Only the minimum amount of PHI necessary is communicated;
- PHI containing information about AIDS, HIV, STDs, mental health, substance abuse and developmental disabilities is not included, unless required for patient safety;
- No forwarding of e-mails containing PHI to personal e-mails is permitted. For example, an employee should not forward e-mail containing PHI from their umn.edu account to their own personal account, or the personal account of a colleague; and
- The following Confidentiality Statement is included at the bottom of the e-mail:
The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material, including "protected health information." If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please destroy and delete this message from any computer and contact us immediately by return e-mail.
NOTE: E-mailing unencrypted PHI to others beyond the University, University of Minnesota Physicians and Fairview is not secure and is prohibited.