Use of Email to Transmit Protected Health Information: Understanding University Policy
Sending Protected Health Information (PHI) by email exposes the PHI to two risks:
HIPAA requires that we take reasonable steps to protect against these risks but acknowledges that a balance must be struck between the need to secure PHI and the need to ensure that clinicians can efficiently exchange important patient care information. We have recently revised the University’s HIPAA Policy 5123 on Electronic Communication of Health Related Information in an effort to be sure that Yale strikes the right balance. The revised policy imposes a critical new security requirement:
YOU MUST NEVER SEND OR RECEIVE EMAIL CONTAINING PHI FROM ANY DEVICE EXCEPT A YALE-MANAGED COMPUTER OR A YALE-MANAGED SMARTPHONE.
In addition, you must continue to observe the following rules:
Recommended Privacy statement: Please be aware that e-mail communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax, or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately with a copy to firstname.lastname@example.org and destroy this message.
You may continue sending PHI by email from one yale.edu email address to another yale.edu email address or to a Yale-New Haven Health System email address (including ynhh.org, bpth.org, and Greenwichhospital.org) so long as you follow the rules above.
You may exchange PHI by email outside the yale.edu or Yale-New Haven Health System network, so long as you follow the rules above AND so long as one of the circumstances below applies:
1. The email is being sent to a non-Yale clinician, research collaborator, or collaborating institution, AND it contains information urgently needed for patient care AND the patient identifiers are limited to name, date of birth, medical record number, or phone number, as needed.
2. The email is being sent to a non-Yale clinician, research collaborator, or collaborating institution, AND it must be transmitted in a timely manner, AND it contains no direct identifiers (name, address, Social Security number, date of birth, phone/fax numbers, or patient email address) and no highly sensitive PHI (for example, mental health, substance abuse, or HIV-related information). Note: Less direct identifiers such as medical record number or initials (for example, “Mr. S”) may be included.
3. The patient or research subject has agreed to the use of email by completing a Consent for Email Communication form (available at http://hipaa.yale.edu/resources/docs/Agreement-For-Email-Communication.pdf ).
4. The email is encrypted through a secure messaging system such as Yale Health’s Patient Online or Yale’s secure file transfer application (http://www.yale.edu/its/email/transfer.html ). Note: Standard Yale e-mail, such as Outlook, is NOT encrypted.
Please note that the circumstances set out above include different time elements. You may send PHI by email to non-Yale clinicians or collaborators (circumstances 1 or 2) only if the information must be communicated in an urgent or timely manner. There is no timeliness requirement attached to circumstances 3 or 4.