Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 8: Electronic Mail containing PHI

Introduction:

The Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards establish mandatory guidelines for protecting patient’s Protected Health Information (PHI). This policy sets the rules for the use and disclosure of PHI through email.

Audience:

UTD email policies and standards apply equally to all individuals granted access privileges to any UTD information resource with the capacity to send, receive, or store electronic mail.

Definitions:

Electronic Mail System: Any computer software application that allows electronic mail to be communicated from one computing system to another.

Electronic Mail (email): Any message, image form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

Ownership: Electronic mail sent, received, or stored on computers owned, leased, administered, or otherwise under the custody and control of UTD is considered to be the property of UTD.

Policy:

General Rules:

1. Email containing PHI must be treated with the same degree of privacy and confidentiality as the patient’s medical record.
2. UTD will make all email messages sent or received, concerning the treatment of a patient, part of the patient’s medical record.
3. UTD personnel may use and disclose PHI through UTD’s internal email system as outlined within General Uses and Disclosures.
4. Emailing of PHI within the UTD system (i.e. to other addresses with www.utdallas.edu) is allowed for treatment, payment, or health care operations.
5. UTD personnel may not send or forward any PHI outside the UTD network via email unless specifically authorized by the patient.
6. When using email, UTD faculty and employees must limit the information transmitted to the minimum necessary to meet the requester’s needs (Minimum Necessary Use & Disclosure) and use de-identified PHI (see De-identification of PHI) whenever applicable.
7. In addition, all external disclosures of PHI through email must be in compliance with Uses and Disclosures based on Patient Authorization and in compliance with Policy on Accounting of Disclosures.

Email Correspondence between UTD Personnel and Patients:

1. Prior to UTD personnel using email to correspond with patients, the patient must consent to the use of email for transmitting confidential PHI by signing the Consent for Email Correspondence located on the back of the general Consent Form.
2. It is the responsibility of each UTD faculty or staff member to make sure the patient has provided consent to correspond through email before doing so. If the general Consent Form has not been signed allowing correspondence via email, UTD personnel must have the patient sign a new general Consent Form before any further correspondence is initiated.
3. Email should not be used to replace a clinical visit. The health care provider should use “due care” in corresponding with the patient through email for treatment.
4. All emails to patients regarding health care must be forwarded to the medical record custodian, as required in Loose Medical Document Handling, at the close of the dialogue to become a part of the medical record.

Email Correspondence between Physicians

Physicians may email other UTD physicians regarding patient matters if the email is sent within the UTD system.

Inclusion of Email in the Medical Record

If email contains PHI for treatment, the email must be printed and forwarded to the medical record custodian for inclusion in the official medical record at the conclusion of the dialogue.

Accounting for Email Disclosures

When disclosing PHI through email, the release must be documented and accounted for as outlined in Accounting of Disclosures.

Enforcement:

All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal.