Guidance on the Use of Email Containing PHI
Use of Email to Transmit Protected Health Information: Understanding University Policy
Sending Protected Health Information (PHI) by email exposes the PHI to two risks:
- The email could be sent to the wrong person, usually because of a typing mistake or selecting the wrong name in an auto-fill list.
- The email could be captured electronically en route.
HIPAA requires that we take reasonable steps to protect against these risks but acknowledges that a balance must be struck between the need to secure PHI and the need to ensure that clinicians can efficiently exchange important patient care information. The University’s HIPAA Policy 5123 on Electronic Communication of Health Related Information strikes a reasonable balance. The policy imposes a critical security requirement:
You must never send or receive email containing PHI from any device that does not meet Yale’s Minimum Security Standards. These requirements are outlined in University HIPAA Policy 5100.
In addition, you must continue to observe the following rules:
- Limit the information you include in an email to the minimum necessary for your clinical or billing purpose.
- Whenever possible, avoid transmitting highly sensitive PHI (for example, mental health, substance abuse, or HIV information) by email.
- Never use global automatic forwarding to send emails from your yale.edu email account to a non-yale.edu account.
- Never send PHI by email unless you have verified the recipient’s address (for example, from a directory or a previous email) and you have checked and double-checked that you have entered the address correctly.
- Always include a privacy statement notifying the recipient of the insecurity of email and providing a contact to whom a recipient can report a misdirected message –
Recommended Privacy statement -
Please be aware that e-mail communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax, or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately with a copy to firstname.lastname@example.org and destroy this message.
You may continue sending PHI by email from one yale.edu email address to another yale.edu email address or to a Yale-New Haven Health System email address (including ynhh.org, bpth.org, and Greenwichhospital.org) so long as you follow the rules above.
You may exchange PHI by email outside the yale.edu or Yale-New Haven Health System network, so long as you follow the rules above AND so long as one of the circumstances below applies:
- The email is being sent to a non-Yale clinician, research collaborator, or collaborating institution, AND it contains information urgently needed for patient care AND the patient identifiers are limited to name, date of birth, medical record number, or phone number, as needed.
2. The email is being sent to a non-Yale clinician, research collaborator, or collaborating institution, AND it must be transmitted in a timely manner, AND it contains no direct identifiers (name, address, Social Security number, date of birth, phone/fax numbers, or patient email address) and no highly sensitive PHI (for example, mental health, substance abuse, or HIV-related information).
Note: Less direct identifiers such as medical record number or initials (for example, “Mr. S”) may be included.
- The patient or research subject has agreed to the use of email by completing a Consent for Email Communication form (available at: https://hipaa.yale.edu/sites/default/files/files/5123-FR-contact-information.pdf
2. The email is encrypted through a secure messaging system such as Yale’s instance of Microsoft O365 (formerly known as Yale Connect. For details on how to encrypt an email, please visit https://cybersecurity.yale.edu/email-encryption. The email can also be encrypted using MyChart, or Yale’s secure file transfer application (https://yale.service-now.com/it?id=service_offering&sys_id=5e688dcd6fbb31007ee2abcf9f3ee419). .
Note: You should encrypt emails whenever you send confidential (i.e. HIPAA data) to external email providers. When you send an email to an outside organization using your Yale email, it is NOT encrypted unless you add the word encrypt in brackets to subject line of an email being sent.For example: Subject: [encrypt] Please review today. For more details, please visit https://cybersecurity.yale.edu/email-encryption..
Please note that the circumstances set out above include different time elements. You may send PHI by email to non-Yale clinicians or collaborators (circumstances 1 or 2) only if the information must be communicated in an urgent or timely manner. There is no timeliness requirement attached to circumstances 3 or 4.
- These guidelines attempt to minimize the risk of a breach of privacy, but they do not eliminate that risk.
- Some divisions of the University may impose more restrictive limitations on email, and you must be familiar with those restrictions.
- If you discover that an email with PHI has been misdirected, you must immediately report it to the security incident hotline: 203-627-4465
Frequently Asked Questions
Can I send an encrypted email with attachments?
Yes. When you encrypt the email by adding [encrypt] to the start of the subject line, both the message itself and any attachments are encrypted.
What do I do if a patient sends me an unencrypted email?
Patients can send their own information in any way that they deem appropriate, including via unencrypted email. Patient communication is best done through MyChart, but we recognize that not all patients use MyChart. Before responding to a patient’s email, it is important to verify that the email is in fact from the patient. Some things to consider:
- Is the email address the same as the email address that is on file?
- Does the email contain information that only the patient would know?
If there is any doubt about the authenticity of the sender, contact the patient using the phone number on file in Epic or use MyChart.
In responding to a patient’s unencrypted email, you have several options:
- Respond to the patient in MyChart.
- Respond to the patient using encrypted email.
- Review the patient’s chart to see if they have consented to the use of unencrypted email using the HIPAA Email Authorization form or the HIPAA Representative form.
- Respond to the patient via unencrypted email without including any PHI, including deleting any PHI that the patient had previously sent to you. In your initial response, it would be advisable to confirm that the patient would like to continue sending PHI via unencrypted email.
How do I know if a patient has authorized the use of unencrypted email?
The following are indicators that the patient has been warned of the risks of unencrypted email and has authorized its use:
- Signed authorization for communication form has been scanned into the Epic Media tab.
- There is an email address listed in the patient demographics screen of patient registration. (Note: Staff members are expected to remind patients of the risks of unencrypted email when requesting email addresses verbally.)
- The patient indicates in the email that he or she approves the use of unencrypted email.