Before You Hit Send…
If emailing off-campus is necessary and permissible under your department or clinic rules, be sure your email is sent via a secure method and goes only to individuals authorized to receive the PHI. Secure methods include
- using the patient portal and
- putting [secure] in the subject line, using the brackets. Messages between ouhsc.edu email addresses are automatically encrypted, as are messages between an OUHSC.edu email address and an HCA email address, so these messages are secure as well.
Sending PHI via unsecured email – even to research sponsors or other providers – is a violation of HIPAA policy and can easily lead to a breach. The Office for Civil Rights may impose monetary penalties for HIPAA breaches, especially those that result from deliberate disregard for patient privacy. Check your email recipients and confirm that the method you are using to send PHI to a non-OUHSC or non-HCA email address is secure – if in doubt, contact OUP IS or IT Security . Finally, be sure you are NOT using auto-forwarding or redirecting your messages to accounts outside of the University email system.