Section 24 : Electronic Mail Containing PHI

Posted on by Callier Center for Communication Disorders

Section 24:  Electronic Mail Containing PHI

The UT Dallas email policies and standards apply equally to all individuals granted access privileges to any UT Dallas information resource with the capacity to send, receive, or store electronic mail. Callier workforce are required to use UT Dallas issued email accounts for any email correspondence containing PHI.

Definitions

Electronic Mail System: Any computer software application that allows electronic mail to be communicated from one computing system to another.

Electronic Mail (email): Any message, image form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

Ownership: Electronic mail sent, received, or stored on computers owned, leased, administered, or otherwise under the custody and control of UT Dallas is considered to be the property of UT Dallas.

Sending Emails

  • Unencrypted emails containing PHI must not be sent outside the internal email network. However, a patient or the patient’s personal representative may authorize Callier Center to send PHI in unencrypted form for ease of access or other reasons.
  • If a patient or patient’s personal representative requests that PHI be sent in an unencrypted form, the patient must make the request in writing and acknowledge that the Callier Center cannot insure the confidentiality of unencrypted email sent externally. The documentation of authorization must be placed in the patient’s OMR.
  • Failure to encrypt email containing PHI absent the written consent of the patient or the patient’s personal representative is a violation of Callier Center’s policy.

Maintaining Emails

  • All Callier Center Workforce must ensure that emails documenting or constituting a medical record are included in the patient’s OMR. Convenience copies and other emails containing PHI should be securely deleted when they are no longer needed for treatment or administrative purposes.

Employees should routinely review email accounts for emails that should be included in the OMR and delete extraneous emails containing PHI.

45 CFR § 164.524(c)(2)(ii)

Effective: 04/14/2003
Revised: 08/01/2022, 04/13/2013
Reviewed: 03/26/2021, 12/08/2015

Heather Zimmerman, HIPAA Privacy Officer
UT Dallas Callier Center