Guidance on the Use of Email Containing PHI

Home Overview Patient Information

Guidance (FAQ)

Training Policies & Procedures Forms Security

Comments or questions?
hipaa@yale.edu

Guidance on the Use of Email Containing PHI

On this page

General Guidelines
Approved Secure Electronic Messaging Options
Electronic communication of PHI between Yale personnel and patients

General Guidelines

Electronic communication of PHI between Yale personnel and patients (e.g., email) is permitted using approved Secure Electronic Messaging. Insecure Electronic Messaging may be used with patients for communicating PHI that has minimal privacy-related consequences such as appointment reminders and notification of services such as flu shots.
Any email containing PHI must contain the Email Notice. Any electronic messaging (e.g., email) between providers and patients must establish Informed Patient Consent for Electronic Messaging.
Great care should be taken when sending an email with PHI to ensure that the recipient address corresponds to the intended recipient.
Any email containing PHI that is misdirected must be documented (See Policy 5003 – Accounting for Disclosures.
Email clients used by Yale University personnel must be configured to require SSL/TLS encryption when transmitting an email message to the SMTP server AND when retrieving messages from an IMAP or POP server (contact your local IT support person for assistance)
Except where PHI relates specifically to treatment, any PHI transmitted by email should be limited to the minimum necessary to meet the recipient’s needs. (See Policy 5037: Minimum Necessary Uses, Disclosures and Requests).
Email messages containing PHI must not be forwarded to non-Yale email addresses either individually or by an automated forwarding mechanism unless an approved secure electronic messaging option is employed (end-to-end encryption)
Instant Messaging (IM) software should not be installed or used for electronic messaging until an approved secure Instant Messaging (IM) option is available

Approved Secure Electronic Messaging Options

POL: Patient Online is a secure, Web-based application allowing patients or research subjects to view portions of their medical record and electronically communicate with their clinicians.
- YUHS - Yale University Health Services: For questions about Patient OnLine use at YUHS contact yalehealthonline.contact@yale.edu or learn more and log in as a guest, by visiting yalehealthonline.yale.edu/
Yale File Transfer Facility: File transfer facility utilizes a secure web-based method for the actual data transfer, but retains the flexibility of email for the communications. This facility uses https--all transactions are encrypted. This encryption ensures that the data cannot be intercepted in transit. Retrieval of the file(s) to the intended individual should be restricted by providing a username/password pair that the recipient must know in order to retrieve the data:
- Do not send the password via File Transfer facility
  Call the recipient to communicate the password or
  use a clue that only the recipient would know, such as the password is your Mother’s maiden name or the password is the color of the scarf you wore last night.

Electronic communication of PHI between Yale personnel and patients

Electronic communication of PHI between Yale personnel and patients (e.g., email) is permitted using approved Secure Electronic Messaging. A patient contacting his/her physician with a request involving PHI could be referred to an approved Secure Electronic Messaging System to obtain an electronic response.

Insecure Electronic Messaging may be used with patients for communicating PHI that has minimal privacy-related consequences such as appointment reminders and notification of services such as flu shots.

Secure Electronic Messaging is always preferred to Insecure Electronic Messaging for more sensitive PHI but, until such time as an electronic medical record with integrated Secure Electronic Messaging or comparable system is available, Yale Personnel may use Insecure Electronic Messaging (e.g., email) to consult with patients including ePHI under the following conditions:

Either the patient or the provider can initiate the email contact, but to proceed, the patient must approve such electronic communications in the context of other options such as phone or fax and provide informed consent to the electronic message exchange by an acknowledgement. As with a phone or fax based consultation, the provider must maintain documentation of that informed consent and consider the nature of the transaction and, if appropriate, add suitable notes to the patient's medical record.
While a patient may request electronic communication, the provider is not obligated to respond electronically and such response must be conducted with care: if the provider has any concerns about the legitimacy of the email query or the identity of the email correspondent, the provider must seek additional identifying information or refer the patient to a phone or in-person consultation.
The ePHI in any such communication must be the minimum necessary and in no event may the communication include highly sensitive PHI such as information relating to HIV/AIDS, mental health or substance abuse.

Email Notice

The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately with a copy to hipaa.security@yale.edu and destroy this message.

Please be aware that email communication can be intercepted in transmission or misdirected. Your use of email to communicate protected health information to us indicates that you acknowledge and accept the possible risks associated with such communication. Please consider communicating any sensitive information by telephone, fax or mail. If you do not wish to have your information sent by email, please contact the sender immediately.

Informed Patient Consent for Electronic Messaging

A provider may obtain informed consent from a patient via electronic messaging (e.g., email) by conducting the following consent exchange upon presentation of a patient query via electronic messaging (this example is for an email exchange):

I will be happy to respond to your query but to do so via email you must provide your consent, recognizing that email is not a secure form of communication. There is some risk that any protected health information that may be contained in such email may be disclosed to, or intercepted by, unauthorized third parties. I will use the minimum necessary amount of protected health information to respond to your query.
If you wish to conduct this discussion via email, please indicate your acceptance of this risk with your email reply. Alternatively, please call my office to arrange a phone conversation or office visit.

Note that extra care should be taken by the provider to assure that the provider is confident of the correspondent’s identity, that any PHI be kept to a minimum and that, as with phone or fax based exchanges, this consultation be documented in the patient’s record if appropriate. Further, even when requested by a patient, the provider should decline to use email and refer to phone or office visit if she or he has any concerns about any aspect of the exchange.