Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) | Yale University

Guidance on the Use of Email Containing PHI

Use of Email to Transmit Protected Health Information:  Understanding University Policy

Sending Protected Health Information (PHI) by email exposes the PHI to two risks:

  • The email could be sent to the wrong person, usually because of a typing mistake or selecting the wrong name in an auto-fill list.
  • The email could be captured electronically en route.

HIPAA requires that we take reasonable steps to protect against these risks but acknowledges that a balance must be struck between the need to secure PHI and the need to ensure that clinicians can efficiently exchange important patient care information.  We have recently revised the University’s HIPAA Policy 5123 on Electronic Communication of Health Related Information in an effort to be sure that Yale strikes the right balance.  The revised policy imposes a critical new security requirement: 

YOU MUST NEVER SEND OR RECEIVE EMAIL CONTAINING PHI FROM ANY DEVICE EXCEPT A YALE-MANAGED COMPUTER OR A YALE-MANAGED SMARTPHONE. 

In addition, you must continue to observe the following rules:

  • Limit the information you include in an email to the minimum necessary for your clinical purpose. 
  • Whenever possible, avoid transmitting highly sensitive PHI (for example, mental health, substance abuse, or HIV information) by email. 
  • Never use automatic forwarding with your yale.edu email account.
  • Never send PHI by email unless you have verified the recipient’s address (for example, from a directory or a previous email) and you have checked and double-checked that you have   entered the address correctly. 
  • Always include a privacy statement notifying the recipient of the insecurity of email and providing a contact to whom a recipient can report a misdirected message –

Recommended Privacy statement: Please be aware that e-mail communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax, or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately with a copy to hipaa.security@yale.edu and destroy this message.

You may continue sending PHI by email from one yale.edu email address to another yale.edu email address or to a Yale-New Haven Health System email address (including ynhh.org, bpth.org, and Greenwichhospital.org) so long as you follow the rules above.

You may exchange PHI by email outside the yale.edu or Yale-New Haven Health System network, so long as you follow the rules above AND so long as one of the circumstances below applies:

1.            The email is being sent to a non-Yale clinician,  research collaborator, or collaborating institution, AND it contains information urgently needed for patient care AND the patient identifiers are limited to name, date of birth, medical record number, or phone number, as needed. 

OR

2.            The email is being sent to a non-Yale clinicianresearch collaborator, or collaborating institution, AND it must be transmitted in a timely manner, AND it contains no direct identifiers (name, address, Social Security number, date of birth, phone/fax numbers, or patient email address) and no highly sensitive PHI (for example, mental health, substance abuse, or HIV-related information).   Note:  Less direct identifiers such as medical record number or initials (for example,  “Mr. S”) may be included. 

OR

3.            The patient or research subject has agreed to the use of email by completing a Consent for Email Communication form (available at http://hipaa.yale.edu/resources/docs/Agreement-For-Email-Communication.pdf ).

OR

4.            The email is encrypted through a secure messaging system such as Yale Health’s Patient Online or Yale’s secure file transfer application (http://www.yale.edu/its/email/transfer.html ).  Note:  Standard Yale e-mail, such as Outlook, is NOT encrypted. 

Please note that the circumstances set out above include different time elements.  You may send PHI by email to non-Yale clinicians or collaborators (circumstances 1 or 2) only if the information must be communicated in an urgent or timely manner.  There is no timeliness requirement attached to circumstances 3 or 4.  

REMEMBER:

  • These guidelines attempt to minimize the risk of a breach of privacy, but they do not eliminate that risk. 
  • Some divisions of the University may impose more restrictive limitations on email, and you must be familiar with those restrictions.
  • If you discover that an email with PHI has been misdirected, you must immediately report it to the security incident hotline: 203-627-4465