E-mail and Protected Health Information
Appendix to Policy
Use of e-mails to transmit PHI is discouraged. E-mails are always subject to some level of security risk, can be sent to the wrong address, and can be forwarded to others who should not receive them. Use alternate, and more secure, forms of communication whenever possible.
In the event you determine that e-mail of PHI is necessary, you must ensure that you meet the guidelines contained in this Appendix.
If encryption tools for e-mail are available in your unit, those tools should be used for any e-mail transmission of PHI. Check with your local IT support person to confirm whether or not such tools are available for your unit. If encryption tools are not available for your unit, then you must follow the guidelines below.
E-Mailing PHI to Patients:
E-mails to patients containing that patient's PHI should be done only if the patient has specifically agreed to such a form of communication. Check with the facility where the patient is being seen to ensure that such an agreement is in place, and that you are following any additional guidelines the facility has regarding such communications.
E-Mailing Patient PHI to Others:
PHI of patients may be e-mailed to others only in the following circumstances and subject to the following guidelines:
- The communication is sent to another e-mail address within the University, University of Minnesota Physicians, or Fairview.
- The communication is sent only to those who have a legitimate purpose for receiving the information (such as those involved in treatment, payment for treatment, or some type of healthcare operation, including quality assurance, peer review, training or education).
- Only the minimum amount of PHI necessary is communicated.
- PHI containing information about AIDS, HIV, STDs, mental health, substance abuse and developmental disabilities should not be e-mailed unless required for patient safety.
- No auto-forwarding of e-mails containing PHI to personal e-mails is permitted.
- The following Confidentiality Statement is included at the bottom of the e-mail:
The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material, including "protected health information." If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please destroy and delete this message from any computer and contact us immediately by return e-mail.
NOTE: E-mailing patient PHI to others beyond the University, University of Minnesota Physicians and Fairview is not secure and is prohibited.
Researchers should not include PHI of individual research subjects in e-mails or attachments to e-mails. If you are working with de-identified information, that information is no longer PHI and can be e-mailed, subject to any restrictions in place from your research sponsor.
Health Plan Beneficiaries
PHI of individual health plan beneficiaries should not be included in e-mails or attachments to e-mails (unless the information is being submitted by a secured transmission to a University health plan administrator). Information that indicates health plan enrollment or disenrollment status is not PHI and can be emailed.
Dispute Resolution, Audits, Internal Reviews
In the event an individual’s PHI is the subject of a dispute, audit, or other type of internal review, then support units needing access to that individual’s PHI to further the dispute resolution, audit or review may use email to receive and/or transmit the PHI, so long as (i) an encryption tool is used to encrypt the PHI, or (ii) the requirements identified above for “E-mailing Patient PHI to Others” are followed.