Section 24 : Electronic Mail Containing PHI
The UT Dallas email policies and standards apply equally to all individuals granted access privileges to any UT Dallas information resource with the capacity to send, receive, or store electronic mail.
Electronic Mail System: Any computer software application that allows electronic mail to be communicated from one computing system to another.
Electronic Mail (email): Any message, image form, attachment, data, or other communication sent, received, or stored within an electronic mail system.
Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.
Ownership: Electronic mail sent, received, or stored on computers owned, leased, administered, or otherwise under the custody and control of UT Dallas is considered to be the property of UT Dallas.
- Email containing PHI must be encrypted and treated as a confidential medical record. However, a patient or the patient’s personal representative may request that PHI be sent in unencrypted form for ease of access or other reasons.
- If a patient or patient’s personal representative requests that PHI be sent in an unencrypted form , the patient must make the request in writing and acknowledge that the Callier Center cannot insure the confidentiality of unencrypted email. The managing clinician must document the reason for the request and be sure that this documentation is placed in the patient’s OMR.
- Failure to encrypt email containing PHI absent the written consent of the patient or the patient’s personal representative is a violation of Callier Center’s policy.
- All Callier Center Workforce must ensure that emails documenting or constituting a medical record are included in the patient’s OMR. Convenience copies and other emails containing PHI should be securely deleted when they are no longer needed for treatment or administrative purposes.
- Employees should routinely review email accounts for emails that should be included in the OMR and delete extraneous emails containing PHI.
45 CFR 164.524(c)(2)(ii)